lock-me-in Security Report — Suspicious | ClawSafe

40 /100

lock-me-in

Remote browser login and session persistence for headless servers via cloudflared tunnel

The skill is a legitimate browser-login tool but contains undeclared functionality: an undocumented environment variable (OPENCLAW_PROXY_URL) for proxy injection, an undeclared /eval endpoint allowing arbitrary JS execution in the browser page, and extensive stealth/anti-detection scripts that modify browser fingerprinting signals — none of which are mentioned in SKILL.md.

Skill Namelock-me-in

Duration93.2s

Enginepi

⚠

Use with caution

Document all undeclared capabilities (OPENCLAW_PROXY_URL, /eval endpoint, stealth evasion scripts) in SKILL.md. Consider removing or restricting the /eval endpoint, as it enables arbitrary JavaScript execution in the authenticated browser context accessible via the tunnel URL.

Findings 5 items

Severity	Finding	Location
Medium	Undeclared stealth/anti-detection browser scripts Doc Mismatch 50+ lines of stealth evasion code inject JavaScript to hide navigator.webdriver, spoof WebGL vendor/renderer, fake hardwareConcurrency (8), deviceMemory (8), platform (Win32), navigator.plugins, and more. These modify the browser's fingerprint on every page load and are not mentioned in SKILL.md. const STEALTH_SCRIPTS = [`Object.defineProperty(navigator, 'webdriver', { get: () => false })`... → Document the use of stealth evasion scripts in SKILL.md with a clear justification (e.g., required to log into sites with bot detection). Users should be informed that browser fingerprint is modified.	`scripts/browser-login.mjs:35`
Medium	Undeclared /eval HTTP endpoint allows arbitrary JS execution in authenticated browser RCE The HTTP server exposes a /eval endpoint that executes arbitrary JavaScript via page.evaluate() on the authenticated browser page. While the endpoint is within the HTTP server, it is not declared in SKILL.md, and its output is visible in the web UI. Anyone with the tunnel URL can send requests to /eval during the active session. `case '/eval': const script = url.searchParams.get('js'); try { const result = await page.evaluate(script); ... }` → Either remove the /eval endpoint, restrict it to known-safe operations, or clearly document it in SKILL.md as a feature for advanced users.	`scripts/browser-login.mjs:248`
Medium	Undeclared OPENCLAW_PROXY_URL environment variable Doc Mismatch The script reads OPENCLAW_PROXY_URL from the environment, parses embedded credentials (username:password@host:port), and passes them as browser proxy authentication. This undocumented mechanism allows proxy injection with credentials, which is not mentioned in SKILL.md's configuration section. `OPENCLAW_PROXY_URL - HTTP proxy for browser traffic (optional)` → Document OPENCLAW_PROXY_URL in SKILL.md's Configuration section, or rename it to LOCK_ME_IN_PROXY_URL for consistency with the LOCK_ME_IN_* namespace.	`scripts/browser-login.mjs:18`
Low	Cloudflared binary spawned via shell subprocess Priv Escalation The cloudflared tunnel binary is spawned as a child process via spawn(). While this is functionally necessary for the skill to work, the shell:WRITE capability is not declared in SKILL.md's allowed-tools section. const tunnel = spawn(CLOUDFLARED, ['tunnel', '--url', `http://localhost:${proxyPort}`], { stdio: ['ignore', 'pipe', 'pipe'] }); → Document subprocess usage for cloudflared tunneling in SKILL.md.	`scripts/browser-login.mjs:404`
Low	cloudflared installation command does not pin version Supply Chain SKILL.md's installation command for cloudflared fetches the 'latest' release without a version pin: `curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64` `curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64` → Pin to a specific version tag to prevent unexpected updates: e.g., `curl -sL https://github.com/cloudflare/cloudflared/releases/download/2024.X.X/cloudflared-linux-amd64`	`SKILL.md:74`

Resource	Declared	Inferred	Status	Evidence
Browser	`WRITE`	`WRITE`	✓ Aligned	Playwright Chromium launch + page interaction throughout browser-login.mjs
Network	`NONE`	`WRITE`	✗ Violation	Cloudflared spawns external tunnel (line 404-405); proxy injection via OPENCLAW_…
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	Session storageState read/write (line 302, saveSession function)
Shell	`NONE`	`WRITE`	✗ Violation	spawn() used for cloudflared binary (line 404) — shell:WRITE, not declared

1 High 4 findings

📡

High IP Address 硬编码 IP 地址

131.0.0.0

scripts/browser-login.mjs:262

🔗

Medium External URL 外部 URL

https://linkedin.com/login

SKILL.md:26

🔗

Medium External URL 外部 URL

https://mail.google.com

SKILL.md:28

🔗

Medium External URL 外部 URL

https://linkedin.com/feed

SKILL.md:52

File Tree

2 files · 24.4 KB · 565 lines

JavaScript 1f · 468L Markdown 1f · 97L

├─ ▾ 📁 scripts

│ └─ 📜 browser-login.mjs JavaScript 468L · 20.6 KB

└─ 📝 SKILL.md Markdown 97L · 3.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`playwright-core`	`unknown (imported from /app/node_modules)`	npm	No	No package.json found; playwright-core is a transitive dep
`cloudflared`	`latest (unpinned)`	github releases	No	Installation command in SKILL.md fetches latest without version pin

Security Positives

✓ No credential harvesting or exfiltration — session data stays local

✓ No base64-encoded or obfuscated code found

✓ Auto-close timeout (15 min) limits exposure window

✓ Tunnel URLs are random and ephemeral (cloudflared managed)

✓ Session storage is scoped to a named directory, not globally accessible

✓ Proper cleanup on SIGINT/SIGTERM signals

✓ Cookie banners auto-accepted for UX, not for bypassing security

Scan Report

Findings 5 items

File Tree

Dependencies 2 items

Security Positives