Skill Trust Decision
lock-me-in
The skill is a legitimate browser-login tool but contains undeclared functionality: an undocumented environment variable (OPENCLAW_PROXY_URL) for proxy injection, an undeclared /eval endpoint allowing arbitrary JS execution in the browser page, and extensive stealth/anti-detection scripts that modify browser fingerprinting signals — none of which are mentioned in SKILL.md.
Most direct threat evidence
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Undeclared stealth/anti-detection scripts +15
50+ lines of browser fingerprint spoofing (webdriver hide, WebGL spoof, hardwareConcurrency spoof, etc.) injected on every page — not declared in SKILL.md
Undeclared /eval endpoint +10
HTTP endpoint /eval executes arbitrary JavaScript in the authenticated browser page; not documented in SKILL.md; accessible to anyone with the tunnel URL
Undeclared OPENCLAW_PROXY_URL environment variable +8
Supports proxy injection with embedded credentials via undocumented env var; proxy username/password parsed and passed to browser launch — not in SKILL.md
Tunnel URL accessible without authentication +7
No authentication on the tunnel; SKILL.md mentions 'No authentication on the tunnel by default' but the 15-min auto-close is the only protection
Most important evidence
Medium Doc Mismatch
Undeclared stealth/anti-detection browser scripts
50+ lines of stealth evasion code inject JavaScript to hide navigator.webdriver, spoof WebGL vendor/renderer, fake hardwareConcurrency (8), deviceMemory (8), platform (Win32), navigator.plugins, and more. These modify the browser's fingerprint on every page load and are not mentioned in SKILL.md.
scripts/browser-login.mjs:35 Document the use of stealth evasion scripts in SKILL.md with a clear justification (e.g., required to log into sites with bot detection). Users should be informed that browser fingerprint is modified.
Medium RCE
Undeclared /eval HTTP endpoint allows arbitrary JS execution in authenticated browser
The HTTP server exposes a /eval endpoint that executes arbitrary JavaScript via page.evaluate() on the authenticated browser page. While the endpoint is within the HTTP server, it is not declared in SKILL.md, and its output is visible in the web UI. Anyone with the tunnel URL can send requests to /eval during the active session.
scripts/browser-login.mjs:248 Either remove the /eval endpoint, restrict it to known-safe operations, or clearly document it in SKILL.md as a feature for advanced users.
Medium Doc Mismatch
Undeclared OPENCLAW_PROXY_URL environment variable
The script reads OPENCLAW_PROXY_URL from the environment, parses embedded credentials (username:password@host:port), and passes them as browser proxy authentication. This undocumented mechanism allows proxy injection with credentials, which is not mentioned in SKILL.md's configuration section.
scripts/browser-login.mjs:18 Document OPENCLAW_PROXY_URL in SKILL.md's Configuration section, or rename it to LOCK_ME_IN_PROXY_URL for consistency with the LOCK_ME_IN_* namespace.
Low Priv Escalation
Cloudflared binary spawned via shell subprocess
The cloudflared tunnel binary is spawned as a child process via spawn(). While this is functionally necessary for the skill to work, the shell:WRITE capability is not declared in SKILL.md's allowed-tools section.
scripts/browser-login.mjs:404 Document subprocess usage for cloudflared tunneling in SKILL.md.
Low Supply Chain
cloudflared installation command does not pin version
SKILL.md's installation command for cloudflared fetches the 'latest' release without a version pin: `curl -sL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64`
SKILL.md:74 Pin to a specific version tag to prevent unexpected updates: e.g., `curl -sL https://github.com/cloudflare/cloudflared/releases/download/2024.X.X/cloudflared-linux-amd64`
Declared capability vs actual capability
Browser Pass
Declared WRITE
→ Inferred WRITE
Playwright Chromium launch + page interaction throughout browser-login.mjs Network Block
Declared NONE
→ Inferred WRITE
Cloudflared spawns external tunnel (line 404-405); proxy injection via OPENCLAW_PROXY_URL (line 283-287); HTTP server binds 0.0.0.0 (line 413) Filesystem Pass
Declared READ+WRITE
→ Inferred READ+WRITE
Session storageState read/write (line 302, saveSession function) Shell Block
Declared NONE
→ Inferred WRITE
spawn() used for cloudflared binary (line 404) — shell:WRITE, not declared Suspicious artifacts and egress
High IP Address
131.0.0.0 scripts/browser-login.mjs:262
Medium External URL
https://linkedin.com/login SKILL.md:26
Medium External URL
https://mail.google.com SKILL.md:28
Medium External URL
https://linkedin.com/feed SKILL.md:52
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| playwright-core | unknown (imported from /app/node_modules) | npm | No | No package.json found; playwright-core is a transitive dep |
| cloudflared | latest (unpinned) | github releases | No | Installation command in SKILL.md fetches latest without version pin |
File composition
2 files · 565 lines
JavaScript 1 files · 468 linesMarkdown 1 files · 97 lines
Files of concern · 2
scripts/browser-login.mjs Undeclared stealth/anti-detection browser scripts · Undeclared /eval HTTP endpoint allows arbitrary JS execution in authenticated browser · Undeclared OPENCLAW_PROXY_URL environment variable · Cloudflared binary spawned via shell subprocess · 131.0.0.0
SKILL.md cloudflared installation command does not pin version · https://linkedin.com/login · https://mail.google.com · https://linkedin.com/feed
Security positives
No credential harvesting or exfiltration — session data stays local
No base64-encoded or obfuscated code found
Auto-close timeout (15 min) limits exposure window
Tunnel URLs are random and ephemeral (cloudflared managed)
Session storage is scoped to a named directory, not globally accessible
Proper cleanup on SIGINT/SIGTERM signals
Cookie banners auto-accepted for UX, not for bypassing security