openclaw browser open https://chat.deepseek.com and login it, then input questions from user's messages, extract response of deepseek chat to reply user.
Security Analysis
medium confidenceThe skill's stated purpose (automating queries to chat.deepseek.com) is plausible, but the runtime instructions ask the agent to take screenshots, run shell commands, and send those screenshots over the user's messaging channels without declaring or justifying that access — this is scope-creep that could leak data.
The skill's name and description match the instructions to open chat.deepseek.com, type questions, and extract text from the page. However, the runtime steps also instruct the agent to send QR-code screenshots via various messaging channels (imessage/whatsapp/signal) and to run exec() commands. Those messaging/send actions are outside the minimal capability needed to query DeepSeek (they are a convenience for QR login but broaden the skill's access surface).
SKILL.md instructs the agent to: take screenshots of the page (QR codes and snapshots), write them to workspace paths, execute arbitrary shell commands (imsg send, openclaw message send, exec examples) to deliver screenshots to external channels, and perform broad DOM scraping (selecting many <p> elements across the whole page). These actions permit reading page content and sending it to external endpoints (user channels). The instructions also include polling loops and arbitrary exec usage with placeholders for account IDs and filesystem paths — this gives the agent broad discretion to touch files, messaging channels, and run arbitrary commands.
This is an instruction-only skill with no install spec and no external downloads or dependencies, so it does not write new code to disk or pull remote archives.
The skill declares no required env vars, but the instructions rely on platform features (exec to imsg/openclaw messaging, writing to <your-workspace>, accessing browser profile 'openclaw', sessions_list) that let it access messaging accounts and filesystem paths. Those capabilities are not explicitly declared as required and can be used to transmit screenshots or page contents to other accounts. The skill also uses exec() to run arbitrary shell commands — a high-capability operation relative to the simple stated purpose.
always:false (good). The skill can be invoked autonomously by the agent (platform default). Combined with its ability to take screenshots and send messages via exec, autonomous invocation increases risk; however autonomous invocation alone is normal and not intrinsically flagged by policy.
Guidance
This skill will control a browser tab, take screenshots of the page (including any visible content), run shell commands, and send the screenshots via messaging channels (imessage/whatsapp/signal examples). Before installing, consider: (1) Do you trust the skill to access your messaging channels and workspace files? It may transmit sensitive page content. (2) Prefer scanning QR codes manually rather than allowing the agent to send screenshots automatically. (3) If you must use it, disable autonomous invocation or run it in a restricted test account/environment first. (4) Ask the author to remove or limit exec/send steps or to explicitly declare what channels and filesystem paths will be used. (5) Review platform logs for any unexpected messages the skill sends.
Latest Release
v1.0.0
Version 1.0.0 — Initial Release of Chat DeepSeek Browsing Automation Skill - Switched from direct DeepSeek API + script interface to full browser automation. - Implements login via QR code snapshot, message input via DOM automation, and output extraction from the DeepSeek chat web UI. - Removed API-based usage (config.env, scripts/chat.js) in favor of browser/manual login with no LLM or API key requirements. - Added detailed documentation for all browser automation steps, use cases, and limitations. - Provided multiple aliases for easier skill invocation. - Now replies with raw page text (not LLM-processed).
More by @qidu
Published by @qidu on ClawHub
