chromedev Security Report — Low Risk | ClawSafe

22 /100

chromedev

Use local Chrome MCP for live browsing and web page extraction via local DevTools middleware

The chromedev skill is a legitimate browser automation tool that uses a local MCP endpoint for web scraping, with shell execution declared in documentation but capability mapping incomplete.

Skill Namechromedev

Duration42.2s

Enginepi

✓

Safe to install

Pin npm package versions to mitigate supply chain risk and explicitly declare shell:WRITE and filesystem:WRITE in SKILL.md capability declarations.

Findings 2 items

Severity	Finding	Location
Medium	Unpinned npm dependencies Supply Chain @mallocfeng/chromedev and @modelcontextprotocol/sdk are installed without version specifiers, allowing the registry to serve updated versions at install time. `npm install -g @mallocfeng/chromedev` → Pin to specific versions: npm install -g @mallocfeng/[email protected] and npm install @modelcontextprotocol/[email protected]	`SKILL.md:74`
Low	Shell and filesystem WRITE not declared in capability header Doc Mismatch SKILL.md frontmatter only declares network/browser usage, but inline documentation shows bash/node commands for npm installs which map to shell:WRITE and filesystem:WRITE. `---name: chromedev (no shell or filesystem in declared capabilities)` → Add shell:WRITE and filesystem:WRITE to allowed-tools mapping documentation if this skill is analyzed by automated tooling	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	SKILL.md lines 72-76: npm install commands for global and workspace packages
Shell	`NONE`	`WRITE`	✗ Violation	SKILL.md lines 67-76: bash commands (curl, command -v, node, npm install)
Network	`READ`	`READ`	✓ Aligned	SKILL.md: http://127.0.0.1:8787/mcp, local-only access only
Browser	`FULL`	`FULL`	✓ Aligned	SKILL.md describes full Chrome DevTools MCP capabilities

3 findings

🔗

Medium External URL 外部 URL

https://clawhub.ai

.clawhub/origin.json:3

🔗

Medium External URL 外部 URL

http://127.0.0.1:8787/mcp

SKILL.md:3

🔗

Medium External URL 外部 URL

https://www.163.com/\

scripts/http_mcp_call.mjs:78

File Tree

5 files · 13.1 KB · 291 lines

Markdown 1f · 180L JavaScript 1f · 84L YAML 1f · 15L JSON 2f · 12L

├─ ▾ 📁 .clawhub

│ └─ 📋 origin.json JSON 7L · 141 B

├─ ▾ 📁 agents

│ └─ 📋 openai.yaml YAML 15L · 501 B

├─ ▾ 📁 scripts

│ └─ 📜 http_mcp_call.mjs JavaScript 84L · 2.6 KB

├─ 📋 _meta.json JSON 5L · 128 B

└─ 📝 SKILL.md Markdown 180L · 9.8 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@mallocfeng/chromedev`	`latest`	npm	No	Version not pinned - could be updated to malicious version without user knowledge
`@modelcontextprotocol/sdk`	`latest`	npm	No	Version not pinned - official MCP SDK, lower risk but still a supply chain concern

Security Positives

✓ Local-only network access restricted to 127.0.0.1:8787 prevents external data exfiltration

✓ No credential harvesting - does not access ~/.ssh, ~/.aws, .env, or environment variables for secrets

✓ No obfuscation - code is plain JavaScript, no base64 or eval patterns

✓ No hidden C2 infrastructure - no hardcoded IPs or domains outside the local MCP endpoint

✓ Explicit progress/output rules documented to prevent accidental data leakage via chat channels

✓ No persistence mechanisms - no cron, startup scripts, or backdoor installations

Scan Report

Findings 2 items

File Tree

Dependencies 2 items

Security Positives