god-of-all-browsers Security Report — Trusted | ClawSafe

5 /100

god-of-all-browsers

A 100x smarter browser automation CLI using Puppeteer with stateful Chromium, AI-optimized snapshots, and human-like interaction

A legitimate, well-documented browser automation skill using Puppeteer with appropriate security controls and no malicious indicators.

Skill Namegod-of-all-browsers

Duration38.3s

Enginepi

✓

Safe to install

This skill can be used safely. The eval command should only be used with trusted scripts. Monitor session.json for credential exposure.

Findings 2 items

Severity	Finding	Location
Low	Tool declaration imprecise Doc Mismatch SKILL.md declares 'shell' tool but implementation uses child_process.spawn with shell:false `const child = spawn(EXECUTABLE_PATH, browserArgs, { detached: true, stdio: 'ignore', shell: false });` → Consider declaring 'process' or 'browser' tool type for accuracy	`browser.js:82`
Info	Session persistence with credentials Sensitive Access Saves browser cookies to session.json in plain text - documented and necessary for stateful automation `fs.writeFileSync(sessionPath, JSON.stringify(allCookies, null, 2));` → Standard behavior for session persistence; file permissions hardened to 0o600	`browser.js:430`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Creates chrome_profile, session.json, recordings/ directories
Network	`READ`	`READ`	✓ Aligned	Browser navigates URLs, Google search
Shell	`WRITE`	`WRITE`	✓ Aligned	Uses spawn() with shell:false to launch Chrome
Browser	`WRITE`	`WRITE`	✓ Aligned	Puppeteer browser automation - core feature

1 High 10 findings

📡

High IP Address 硬编码 IP 地址

122.0.0.0

browser.js:129

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/version-1.1.0-blue.svg

README.md:3

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:4

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Engine-Puppeteer--Core-green.svg

README.md:5

🔗

Medium External URL 外部 URL

https://pptr.dev/

README.md:5

🔗

Medium External URL 外部 URL

https://news.ycombinator.com

README.md:58

🔗

Medium External URL 外部 URL

https://www.google.com

SKILL.md:41

🔗

Medium External URL 外部 URL

https://www.google.com/search?q=$

browser.js:956

🔗

Medium External URL 外部 URL

https://www.google.com/maps/search/restaurants+in+Tiruchengode/@11.3838534

self_learning.json:9

🔗

Medium External URL 外部 URL

https://in.linkedin.com/in/mathanraj-murugesan?trk=people-guest_people_search-card

self_learning.json:18

File Tree

10 files · 102.3 KB · 2485 lines

JavaScript 2f · 1088L JSON 4f · 968L Markdown 2f · 383L Shell 1f · 29L Ignore 1f · 17L

├─ ▾ 📁 custom_files

│ └─ 📜 gmaps_contacts.js JavaScript 87L · 3.6 KB

├─ 📋 _meta.json JSON 6L · 302 B

├─ 📄 .gitignore Ignore 17L · 208 B

├─ 📜 browser.js JavaScript 1001L · 48.1 KB

├─ 📋 package-lock.json JSON 929L · 32.6 KB

├─ 📋 package.json JSON 14L · 415 B

├─ 📝 README.md Markdown 155L · 6.6 KB

├─ 📋 self_learning.json JSON 19L · 1.1 KB

├─ 🔧 setup.sh Shell 29L · 821 B

└─ 📝 SKILL.md Markdown 228L · 8.6 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`puppeteer-core`	`^24.38.0`	npm	No	Version range is acceptable for browser automation

Security Positives

✓ No base64-encoded commands or obfuscation detected

✓ No external IP communications (127.0.0.1/localhost only for browser debugging)

✓ Security gate on eval command requiring --force flag or env variable

✓ Input sanitization on port, runId, and search queries

✓ File permission hardening (chmod 0o600) on session files

✓ Randomized debug port generation to prevent predictability

✓ Comprehensive documentation in SKILL.md and README.md

✓ Security warnings present for sensitive operations

✓ No credential harvesting beyond legitimate cookie persistence

✓ No reverse shell, C2, or data exfiltration patterns

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives