god-of-all-browsers 安全扫描报告 — 可信 | ClawSafe

5 /100

god-of-all-browsers

A 100x smarter browser automation CLI using Puppeteer with stateful Chromium, AI-optimized snapshots, and human-like interaction

A legitimate, well-documented browser automation skill using Puppeteer with appropriate security controls and no malicious indicators.

技能名称god-of-all-browsers

分析耗时38.3s

引擎pi

✓

可以安装

This skill can be used safely. The eval command should only be used with trusted scripts. Monitor session.json for credential exposure.

安全发现 2 项

严重性	安全发现	位置
低危	Tool declaration imprecise 文档欺骗 SKILL.md declares 'shell' tool but implementation uses child_process.spawn with shell:false `const child = spawn(EXECUTABLE_PATH, browserArgs, { detached: true, stdio: 'ignore', shell: false });` → Consider declaring 'process' or 'browser' tool type for accuracy	`browser.js:82`
提示	Session persistence with credentials 敏感访问 Saves browser cookies to session.json in plain text - documented and necessary for stateful automation `fs.writeFileSync(sessionPath, JSON.stringify(allCookies, null, 2));` → Standard behavior for session persistence; file permissions hardened to 0o600	`browser.js:430`

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	Creates chrome_profile, session.json, recordings/ directories
网络访问	`READ`	`READ`	✓ 一致	Browser navigates URLs, Google search
命令执行	`WRITE`	`WRITE`	✓ 一致	Uses spawn() with shell:false to launch Chrome
浏览器	`WRITE`	`WRITE`	✓ 一致	Puppeteer browser automation - core feature

1 高危 10 项发现

📡

高危 IP 地址硬编码 IP 地址

122.0.0.0

browser.js:129

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/version-1.1.0-blue.svg

README.md:3

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:4

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/Engine-Puppeteer--Core-green.svg

README.md:5

🔗

中危外部 URL 外部 URL

https://pptr.dev/

README.md:5

🔗

中危外部 URL 外部 URL

https://news.ycombinator.com

README.md:58

🔗

中危外部 URL 外部 URL

https://www.google.com

SKILL.md:41

🔗

中危外部 URL 外部 URL

https://www.google.com/search?q=$

browser.js:956

🔗

中危外部 URL 外部 URL

https://www.google.com/maps/search/restaurants+in+Tiruchengode/@11.3838534

self_learning.json:9

🔗

中危外部 URL 外部 URL

https://in.linkedin.com/in/mathanraj-murugesan?trk=people-guest_people_search-card

self_learning.json:18

目录结构

10 文件 · 102.3 KB · 2485 行

JavaScript 2f · 1088L JSON 4f · 968L Markdown 2f · 383L Shell 1f · 29L Ignore 1f · 17L

├─ ▾ 📁 custom_files

│ └─ 📜 gmaps_contacts.js JavaScript 87L · 3.6 KB

├─ 📋 _meta.json JSON 6L · 302 B

├─ 📄 .gitignore Ignore 17L · 208 B

├─ 📜 browser.js JavaScript 1001L · 48.1 KB

├─ 📋 package-lock.json JSON 929L · 32.6 KB

├─ 📋 package.json JSON 14L · 415 B

├─ 📝 README.md Markdown 155L · 6.6 KB

├─ 📋 self_learning.json JSON 19L · 1.1 KB

├─ 🔧 setup.sh Shell 29L · 821 B

└─ 📝 SKILL.md Markdown 228L · 8.6 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`puppeteer-core`	`^24.38.0`	npm	否	Version range is acceptable for browser automation

安全亮点

✓ No base64-encoded commands or obfuscation detected

✓ No external IP communications (127.0.0.1/localhost only for browser debugging)

✓ Security gate on eval command requiring --force flag or env variable

✓ Input sanitization on port, runId, and search queries

✓ File permission hardening (chmod 0o600) on session files

✓ Randomized debug port generation to prevent predictability

✓ Comprehensive documentation in SKILL.md and README.md

✓ Security warnings present for sensitive operations

✓ No credential harvesting beyond legitimate cookie persistence

✓ No reverse shell, C2, or data exfiltration patterns