ClawHub

browser-cdp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed real-browser controller, but it gives broad unauthenticated control over logged-in Chrome browsing without enough scoping or consent guardrails.

Install only if you intentionally want an agent to control a real Chrome session. Use a dedicated temporary Chrome profile, log in only to accounts needed for the task, avoid sensitive sites, stop the proxy immediately after use, and treat JavaScript evaluation, screenshots, clicks, and file uploads as high-trust actions. Static scan was clean and VirusTotal was pending, but the Review verdict is based on the artifact’s own broad browser-control authority and missing guardrails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /eval endpoint executes arbitrary JavaScript via Runtime.evaluate in the user's live Chrome session, including logged-in sites and private content. In this skill's context, that enables unrestricted data access and state-changing actions far beyond simple browser automation, making prompt injection or misuse especially dangerous.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The /setFiles endpoint allows arbitrary local filesystem paths to be injected into file inputs in the user's browser, enabling uploads of sensitive local files to remote websites without meaningful restriction. Given the skill explicitly operates on the user's real logged-in browser, this materially increases the risk of exfiltrating local data and performing unintended authenticated actions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The /screenshot endpoint can write attacker-controlled output to an arbitrary local path, which exceeds the stated screenshot capability and creates a filesystem write primitive. While the written content is image data, arbitrary path writes can still overwrite user files, clobber application data, or place content in sensitive locations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough that the skill may be invoked for many ordinary browsing tasks, including cases involving search pages, dynamic sites, or any action verbs like click or scroll. Because this skill exposes a real logged-in browser session, overbroad invocation increases the chance an agent will access authenticated content or perform state-changing actions when a less-privileged tool would have been sufficient.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description explicitly advertises access to full user login state and private content but does not pair that capability with clear warnings, consent requirements, or guardrails. In practice, this normalizes authenticated data access and can lead an agent to read sensitive account information, messages, or personal data without sufficiently informed user approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The HTTP API can navigate tabs, execute code, click elements, upload files, and capture screenshots in the user's everyday Chrome session without any user-facing confirmation, authorization, or warning. Because this skill is specifically designed to access logged-in private content and bypass anti-bot protections, lack of consent and guardrails makes unintended or adversarial actions much more dangerous.

Ssd 3

High
Confidence
99% confidence
Finding
This line directly instructs the agent to use the skill when it needs to read logged-in user's private content. That is dangerous because it operationalizes access to authenticated private data as a routine use case, creating a clear path for privacy violations, over-collection, and unauthorized handling of sensitive information.

Ssd 3

High
Confidence
98% confidence
Finding
The skill description frames authenticated browser access and anti-bot bypass as core benefits, including access to private content through the user's existing session. In the context of an agent skill, this materially increases risk because the agent can inherit powerful account access without a clear boundary between public automation and sensitive personal data retrieval.

Ssd 3

High
Confidence
98% confidence
Finding
The feature list highlights that cookies and sessions are carried through, which means the agent can act with the same privileges as the user's browser. That creates substantial risk of exposing account data, interacting with private services, and performing unintended actions in authenticated contexts if the skill is invoked too broadly or misused.

Ssd 3

Medium
Confidence
93% confidence
Finding
The tool-selection table recommends this skill for login-gated content, steering agents toward using inherited browser authentication to access protected material. Although this may be useful in some legitimate workflows, presenting it as standard routing guidance raises the likelihood of unnecessary authenticated access and privacy-invasive data retrieval.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal