ClawHub

Captcha Relay

Security checks across malware telemetry and agentic risk

Overview

This skill openly helps relay and inject CAPTCHA solutions, but it exposes browser/session data and control through unauthenticated network-facing relays.

Install only if you are using it for authorized testing or workflows you control. Treat relay URLs and screenshots as sensitive, prefer private Tailscale access over public tunnels, avoid sensitive logged-in pages, and do not use the browser relay or token-injection features on third-party services without explicit permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (24)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The document explicitly states that CAPTCHA token relay can work across domains and that tokens can be extracted on one site, solved on a separate relay page, and injected back into the automated browser. That meaningfully exceeds a normal accessibility-style human-in-the-loop assist flow and instead describes a mechanism for bypassing origin/context restrictions that CAPTCHA systems rely on, enabling anti-bot evasion at scale.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
Claiming the relay serves the 'real CAPTCHA widget' obscures that the widget is rendered on a separate relay page, often over a different domain or tunnel, which can mislead operators about security properties and trust boundaries. This misrepresentation increases the risk that users deploy a design that depends on deceptive cross-context token collection and underestimates the compliance and anti-abuse implications.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file implements a general-purpose remote browser streaming and control channel, not a narrowly scoped CAPTCHA-assist mechanism. It exposes live page contents and allows a remote human to interact with the entire tab, which can reveal sensitive data and enable actions far beyond solving a CAPTCHA if the relay URL is accessed by the wrong party.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The input handler accepts arbitrary remote mouse, keyboard, scroll, and touch events and forwards them directly to Chrome via CDP with no validation, authorization, or CAPTCHA-specific restrictions. A connected client can therefore type into forms, click any page element, submit data, or alter account state, turning the feature into full remote browser control.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The server writes solved CAPTCHA tokens to a fixed filename in the system temp directory, making them accessible to other local processes that know or can guess the path. In this skill's context, CAPTCHA tokens are authentication-like artifacts intended for immediate browser injection, so persisting them outside that flow unnecessarily broadens exposure and creates a covert handoff channel.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The predictable temp-file path exposes CAPTCHA tokens to any local consumer able to read that file, which defeats the stated in-browser token relay model and creates an unintended exfiltration point. Because CAPTCHA tokens may be short-lived but still usable, another local process could race to steal and replay them.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The comment indicating the token file is intended for 'external consumers' suggests a capability beyond the documented browser injection flow, which is a meaningful security concern because it implies deliberate token sharing outside the primary execution path. While the comment itself is not the flaw, it corroborates that the file write is not accidental and increases concern about undocumented token exposure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This template does not just render a CAPTCHA widget or relay a solved token; it streams page imagery and forwards mouse, touch, scroll, and keyboard events, enabling near-complete remote browser operation. In the context of a CAPTCHA-solving skill, that materially expands capability into generic human-operated browser control, which can be abused to navigate pages, submit forms, and interact with sensitive content well beyond the stated purpose.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The architecture sends CAPTCHA data and solution tokens through a locally hosted HTTP relay and third-party tunneling services, but provides no warning about exposure to external infrastructure, interception risk, or metadata leakage. In this skill's context, that is more dangerous because the whole design intentionally moves anti-bot challenge material off the original site and across additional systems, expanding the attack surface and privacy impact.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Writing relayed CAPTCHA tokens to /tmp creates unnecessary local persistence of sensitive tokens that may be readable by other local users, processes, backups, or diagnostics depending on system configuration. Even if short-lived, this weakens token handling hygiene and can allow replay or disclosure during the token's validity window.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to send CAPTCHA screenshots to a human via external channels and, in relay mode, to expose a CAPTCHA-solving page over Tailscale, LAN, or a public tunnel. That can disclose page contents, CAPTCHA/session context, sitekeys, and potentially active challenge state to other devices or third-party services without clearly warning about privacy, session-handling, or exposure risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Screenshot mode explicitly captures page content and sends it to a human over Telegram, but the description does not clearly warn that sensitive on-page data may be disclosed to a third party. In context, this skill operates on arbitrary web pages, so screenshots could include credentials, personal data, session information, or regulated content unrelated to the CAPTCHA itself.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Relay mode exposes CAPTCHA-related data and a reachable relay URL over Tailscale, LAN, or tunnel infrastructure, but the documentation does not clearly describe the resulting network exposure. This is risky because anyone who can access the relay endpoint may gain visibility into challenge material or interact with the browser-assisted flow, increasing the chance of unauthorized access or leakage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to download and immediately execute a remote installer script with no verification, pinning, or warning. If the upstream host, script, DNS, or transport path were compromised, users would run attacker-controlled code on their system during setup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code captures a live CAPTCHA screenshot from the user's browser context and writes it to disk in /tmp without any consent, notice, retention controls, or minimization. In the context of a CAPTCHA-relay skill, this is inherently designed to exfiltrate challenge content to a human solver and may also capture adjacent page data, making it a meaningful privacy and abuse risk rather than a harmless implementation detail.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function injects DOM clicks into a reCAPTCHA challenge and auto-clicks the verify button, directly automating a security control intended to distinguish humans from bots. Given the skill's stated purpose is human-in-the-loop CAPTCHA solving and token/click injection, this is not incidental UI automation but a deliberate CAPTCHA-bypass mechanism that enables account abuse, scraping, and other automated attacks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Relay mode prints and returns a reachable relay URL plus CAPTCHA metadata, and may expose the challenge through a public tunnel without authentication, access control, or explicit consent/warning. In this skill's context, that is more dangerous because the whole purpose is to let a remote human solve a live CAPTCHA, which creates real data-sharing and network-exposure risk and could allow unauthorized third parties to access or interfere with the solve flow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The relay server streams browser frames and accepts remote interaction without any in-band warning, consent, or privacy notice despite potentially exposing the full contents of an active browser tab. In the skill context, this is more dangerous because CAPTCHA pages often coexist with login, payment, or personal data flows, so users may unknowingly disclose sensitive information to the remote solver.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code programmatically injects CAPTCHA solution tokens into a live browser page using the Chrome DevTools Protocol, explicitly bypassing the normal user interaction flow expected by CAPTCHA providers. In the context of a CAPTCHA-relay skill, this is the core mechanism enabling CAPTCHA circumvention at scale, which can facilitate automated abuse of protected sites even if the immediate implementation is technically straightforward and not overtly disguised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Writing CAPTCHA tokens to a predictable temporary file without disclosure creates an undisclosed data-sharing mechanism. In a skill specifically designed to solve and inject CAPTCHA responses, this makes the context more dangerous because users would reasonably expect the token to remain transient and confined to the browser automation flow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Binding the relay server to 0.0.0.0 exposes it on all network interfaces, allowing other hosts on the local network or reachable segments to access the relay page and POST token data if they can reach the ephemeral port. Combined with permissive CORS and no authentication, this broadens the attack surface for token submission, probing, or abuse beyond the local machine.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The page establishes a WebSocket connection, displays streamed browser frames, and captures user input for remote execution, but it provides no meaningful disclosure or consent flow explaining that the user is controlling a remote browser session. That lack of transparency increases the risk of deceptive use, social engineering, and accidental interaction with sensitive pages or data under the guise of a simple CAPTCHA step.

Missing User Warnings

Low
Confidence
95% confidence
Finding
This page automatically sends the solved hCaptcha token to the server as soon as the human completes the challenge, without any explicit disclosure, confirmation, or indication of where the token will be used. In the context of a CAPTCHA relay skill, that behavior enables silent forwarding of a human-solved anti-abuse credential to another system, which materially increases abuse potential and weakens informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file automatically exposes a local relay service to either a public tunnel or the LAN, with fallback behavior that can broaden access, but there is no user confirmation, access control, or warning in this code path. In the context of a CAPTCHA-relay skill, external exposure is especially sensitive because the relay may serve challenge material or accept solve tokens, creating a real risk of unauthorized access, token theft, or unintended publication of a local service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal