pinchtab Security Report — Low Risk | ClawSafe

25 /100

pinchtab

Browser automation via HTTP API. Use for headless browser control, web automation, form filling, data extraction, and interactive element interaction.

Skill is a legitimate browser automation tool backed by a local HTTP API, but contains hardcoded service credentials and vague credential handling in docs.

Skill Namepinchtab

Duration52.5s

Enginepi

✓

Safe to install

Replace hardcoded PinchTab API tokens with environment variable references only. Document credential sourcing clearly in SKILL.md.

Findings 4 items

Severity	Finding	Location
Medium	Hardcoded PinchTab API tokens in four shell scripts Credential Theft scripts/launch_browser.sh, navigate_to_url.sh, click_element.sh, and get_page_snapshot.sh each hardcode the same static Bearer token 'b6a91002205211861a1840bc7d1f55e98757ba635436b5a7' directly in the curl command, instead of referencing the PINCHTAB_TOKEN environment variable. This exposes a service credential in plaintext across multiple files. `TOKEN="b6a91002205211861a1840bc7d1f55e98757ba635436b5a7"` → Replace hardcoded TOKEN= values with TOKEN="${PINCHTAB_TOKEN:-}" and require PINCHTAB_TOKEN to be exported. This aligns with how screenshot_and_send.sh and decode_screenshot.py handle credentials.	`scripts/launch_browser.sh, scripts/navigate_to_url.sh, scripts/click_element.sh, scripts/get_page_snapshot.sh:6, 6, 6, 5`
Low	SKILL.md does not mention hardcoded credentials or credential sourcing Doc Mismatch SKILL.md instructs users to 'export PINCHTAB_TOKEN' but never mentions that the bundled shell scripts contain their own hardcoded token. This creates a discrepancy between documented behavior and actual implementation, where the env var may be ignored in favor of the hardcoded value. `export PINCHTAB_TOKEN="your_token"` → Add a 'Credentials' section to SKILL.md clarifying that PINCHTAB_TOKEN is a shared service token and how to obtain it. Also note that token overrides in env are respected.	`SKILL.md:1`
Low	External data exfiltration via Telegram (acceptable but undocumented risk) Sensitive Access Both screenshot scripts send screenshot binary data (potentially containing sensitive page content) to Telegram's servers via a bot API. While declared in SKILL.md, the implications of sending arbitrary webpage screenshots to a third-party messaging service are not discussed. `https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendPhoto` → Add a warning in SKILL.md that screenshots are transmitted to Telegram servers and should not be used with sensitive page content unless the Telegram bot is under user control.	`scripts/screenshot_and_send.sh, scripts/decode_screenshot.py:60, 68`
Info	base64 -d usage is legitimate (false positive from pre-scan) Obfuscation The pre-scan flagged 'base64 -d' at line 46 of screenshot_and_send.sh as suspicious obfuscation. In context, it decodes a base64-encoded JPEG screenshot from the PinchTab API response — a necessary step for the core functionality. This is not obfuscation. `echo "$BASE64_DATA" \| base64 -d > "$SCREENSHOT_FILE"` → No action needed; this is expected behavior for the screenshot feature.	`scripts/screenshot_and_send.sh:46`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	All scripts use bash to call curl/POST/GET to localhost:9867
Filesystem	`READ`	`READ`	✓ Aligned	Scripts read no files beyond their own code; decode_screenshot.py writes to --ou…
Network	`READ`	`READ`	✓ Aligned	Scripts communicate with localhost:9867 (PinchTab) and api.telegram.org — both d…
Environment	`NONE`	`READ`	✓ Aligned	All scripts read PINCHTAB_TOKEN and TELEGRAM_BOT_TOKEN from environment; this is…

1 Critical 3 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

base64 -d

scripts/screenshot_and_send.sh:46

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot

scripts/decode_screenshot.py:68

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot$

scripts/screenshot_and_send.sh:60

File Tree

10 files · 11.6 KB · 420 lines

Markdown 4f · 171L Shell 5f · 125L Python 1f · 124L

├─ ▾ 📁 references

│ ├─ 📝 api-endpoints.md Markdown 56L · 736 B

│ ├─ 📝 common-workflows.md Markdown 19L · 594 B

│ └─ 📝 troubleshooting.md Markdown 19L · 518 B

├─ ▾ 📁 scripts

│ ├─ 🔧 click_element.sh Shell 15L · 353 B

│ ├─ 🐍 decode_screenshot.py Python 124L · 4.0 KB

│ ├─ 🔧 get_page_snapshot.sh Shell 6L · 167 B

│ ├─ 🔧 launch_browser.sh Shell 6L · 166 B

│ ├─ 🔧 navigate_to_url.sh Shell 15L · 332 B

│ └─ 🔧 screenshot_and_send.sh Shell 83L · 2.6 KB

└─ 📝 SKILL.md Markdown 77L · 2.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unpinned`	pip (imported in decode_screenshot.py)	No	requests is not pinned to a specific version in any requirements.txt — latest could introduce breaking changes

Security Positives

✓ No reverse shell, C2, or data-theft behavior observed

✓ SKILL.md accurately describes the skill's purpose as browser automation via HTTP API

✓ Base64 decoding is legitimate image processing, not code obfuscation

✓ No credential exfiltration to attacker-controlled servers

✓ Telegram sending is opt-in and requires explicit chat_id argument

✓ decode_screenshot.py properly uses requests.Session-like patterns with error handling

✓ All shell scripts use set -e for safe exit on errors

✓ No eval(), os.system with user input, or other RCE primitives found

✓ No attempts to access ~/.ssh, ~/.aws, .env, or other sensitive host paths

✓ No cron, systemd, or persistence mechanisms installed

Scan Report

Findings 4 items

File Tree

Dependencies 1 items

Security Positives