Is mindsocket/open-chrome-tabs safe?

https://github.com/openclaw/skills/tree/main/skills/mindsocket/open-chrome-tabs

85
SAFE

The mindsocket/open-chrome-tabs skill is a documentation-only package (SKILL.md + metadata) with no embedded executable code, no prompt injection, no malicious install behavior, and clean canary integrity. Its primary security concern is inherent to its declared purpose: the skill enables an LLM agent to read all open browser tabs across synced devices, accessing Chrome's LevelDB sync database and SNSS session files, which can expose sensitive URLs, authentication tokens, and detailed personal browsing activity. An additional supply chain risk exists from the unaudited npm package (@mindsocket/chrome-open-tabs) that the skill instructs the agent to execute at runtime.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

MEDIUM Skill reads sensitive browser data by design -20

The declared primary function of this skill is to read Chrome's LevelDB sync database and SNSS session files, exposing all open browser tabs including those on synced mobile and desktop devices. Browser tab URLs can contain authentication tokens, private search queries, session identifiers, and reveal health, financial, and personal activities. While this is intentional functionality, it grants the agent broad read access to sensitive user context that could be logged, summarized, or forwarded by the agent.

MEDIUM Runtime execution of unaudited external npm package via npx -15

The skill instructs the agent to execute npx @mindsocket/chrome-open-tabs or install it globally via npm install -g. The npm package itself was not included in the skill repository and was not audited. npx fetches and executes the latest published version at runtime, creating a supply chain dependency. A compromised or malicious package update could enable data exfiltration of browser tab contents without changes to SKILL.md.

LOW Cross-device surveillance capability via Chrome sync data -25

The skill exposes browser tabs from all synced devices (e.g., Android phone, work laptop) by reading Chrome's sync LevelDB. A user asking 'what tabs do I have open?' may not expect the agent to enumerate their mobile browsing sessions. This capability could be exploited by prompt injection from a malicious webpage tab that instructs the agent to read and relay browsing data from other devices.

LOW Canary files accessed twice during audit period -8

Auditd records show two batches of accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Timing analysis places both access batches as attributable to the oathe audit monitoring system (pre-install baseline capture and post-install integrity check), not the skill under test. All accesses are CLOSE_NOWRITE (read-only), no correlating outbound network connections exist, and the audit system confirms all canaries intact.

INFO SKILL.md is clean with no injection patterns -5

Full review of SKILL.md found no attempts to override system instructions, alter agent persona, suppress output, reference external URLs for fetching, or use hidden unicode/markdown. The skill content is straightforward CLI documentation.

INFO Installation limited to documentation files only 0

The git clone and sparse checkout installed exactly two files: SKILL.md and _meta.json. Filesystem diff confirms no other changes. No npm package was installed during this audit (the npm install is a user action at runtime, not at install time). Clone connected only to GitHub.