by 安全扫描
OpenClaw
安全
medium confidence安全扫描摘要:未提供
评估建议
安全评估:未提供...详细分析 ▾
✓ 用途与能力
Name/description match the implemented actions: scripts start/stop Chrome in CDP mode, configure OpenClaw to attach to the local CDP port, and provide status/troubleshooting tools. There are no unrelated credentials, external downloads, or unexpected network endpoints.
ℹ 指令范围
SKILL.md and the scripts instruct the agent/user to read and overwrite the user's OpenClaw configuration file (~/.openclaw/openclaw.json or %USERPROFILE%\.openclaw\openclaw.json) and to restart the gateway. This is necessary for the stated goal but is a system-level config change; the scripts also execute system commands (launching Chrome, taskkill/killall) which is expected for start/stop behavior.
✓ 安装机制
No remote install or downloads are defined; this is an instruction-and-script skill shipped with source files. Packaging scripts exist but use local system zip/archiver tools—no external code fetches or URL downloads were observed.
ℹ 凭证需求
The skill requests no credentials or env vars, but it directly reads/writes the user's OpenClaw configuration and uses process.env.USERPROFILE (Windows-centric). The most important concern is that configure-browser.js sets ssrfPolicy.dangerouslyAllowPrivateNetwork = true, which intentionally broadens SSRF access to private networks — this is functionally justified by the skill but is a high-impact, security-sensitive change that should be explicitly authorized by the user/administrator.
ℹ 持久化与权限
The skill is not always-enabled and does not request special platform privileges, but it does modify a system-level OpenClaw configuration file (global browser/ssrf settings). That modification persists until reverted and affects other OpenClaw browser behavior, so it carries system-wide impact even though it's coherent with the skill's purpose.
⚠ scripts/package.js:85
Shell command execution detected (child_process).
⚠ scripts/setup.js:21
Shell command execution detected (child_process).
⚠ scripts/simple-package.js:40
Shell command execution detected (child_process).
⚠ scripts/start-chrome.js:52
Shell command execution detected (child_process).
⚠ scripts/stop-chrome.js:96
Shell command execution detected (child_process).
⚠ scripts/troubleshoot.js:72
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install browser-local-chrome
镜像加速npx clawhub@latest install browser-local-chrome --registry https://cn.longxiaskill.com 镜像可用
技能文档
Configure and manage local Chrome in debug mode for browser automation with OpenClaw.
Features
- Chrome Debug Mode: Launch Chrome with remote debugging enabled
- SSRF Whitelist: Configure SSRF whitelist for secure browser automation
- Browser Status Check: Monitor and verify browser status
- OpenClaw Integration: Seamlessly work with OpenClaw for browser automation tasks
Setup
Prerequisites
- Chrome browser installed on your system
- OpenClaw installed
Configuration
# Launch Chrome in debug mode openclaw browser start# Check browser status openclaw browser status
# Configure SSRF whitelist openclaw browser whitelist add
Usage
Starting Chrome in Debug Mode
openclaw browser start --port=9222
Checking Browser Status
openclaw browser status
Managing SSRF Whitelist
# Add domain to whitelist openclaw browser whitelist add example.com# Remove domain from whitelist openclaw browser whitelist remove example.com
# List all whitelisted domains openclaw browser whitelist list
Security
This skill includes SSRF (Server-Side Request Forgery) protection through whitelist configuration. Only domains added to the whitelist can be accessed during browser automation tasks.
Troubleshooting
Chrome not starting
- Ensure Chrome is installed
- Check if port 9222 is available
- Verify debug mode is enabled in Chrome settings
Status check failing
- Verify Chrome is running in debug mode
- Check network connectivity
- Ensure proper permissions