by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill looks like a legitimate Chrome DevTools integration in terms of functionality, but the package provenance is unclear. Before installing: (1) verify the npm package and source repository (confirm it's actually maintained by Google or a trusted author); (2) prefer installing a pinned, audited version (avoid npx @latest) or install from a verified GitHub release; (3) run the server in an isolated environment or container and avoid using it on pages with sensitive auth/cookies until you t...详细分析 ▾
ℹ 用途与能力
The name, description, and listed tools (navigation, click/fill, evaluate_script, network inspection, Lighthouse, traces) are internally consistent with a browser automation/devtools skill. However the README claims 'Official Google project' but registry metadata shows no homepage or source repository — that mismatch is unexplained and worth verifying before trusting the package.
ℹ 指令范围
All runtime instructions are limited to installing and running an MCP server and calling DevTools-style actions. This matches the stated purpose. Be aware evaluate_script and network/console inspection tools grant the agent the ability to run arbitrary JS in page context and inspect network traffic and console output — expected for this tool but high-impact if used on sensitive pages.
⚠ 安装机制
There is no registry install spec in the skill bundle, but the SKILL.md recommends npm i -g chrome-devtools-mcp or npx -y chrome-devtools-mcp@latest. Relying on npx @latest fetches dynamic code from npm at runtime and increases supply-chain risk. The absence of a canonical homepage/repo to validate the npm package makes this riskier.
ℹ 凭证需求
The skill does not request environment variables or credentials in metadata (reasonable). Nevertheless, once running it has broad access to page state (DOM, localStorage, cookies visible to the page) and network requests. Those capabilities are proportional to browser automation but can expose sensitive data if used on authenticated or private pages.
✓ 持久化与权限
No 'always: true' or other elevated persistence is requested; model invocation is allowed (default) which is expected for skills. The skill does not declare writes to other skills' config or system-wide settings in the bundle.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/13
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install chrome-devtools-mcp-standard
镜像加速npx clawhub@latest install chrome-devtools-mcp-standard --registry https://cn.longxiaskill.com