ClawHub

Puppeteer@1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Puppeteer automation skill, but it includes hidden local memory behavior and bot-detection avoidance advice that users should review before installing.

Install only if you are comfortable supervising its setup. Before use, tell the agent not to create or update ~/puppeteer/memory.md without your explicit approval, review any scripts before saving them, approve npm install commands yourself, use a dedicated browser profile, and automate only sites or apps where you have permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The section explicitly advises users how to avoid automation detection, including avoiding telltale strings, randomizing delays, and mimicking human behavior. In a Puppeteer skill, this goes beyond ordinary selector guidance and materially enables evasion of site defenses that are commonly used to prevent abusive scraping, fraud, or policy-violating automation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to persist user workflow details such as target sites, preferred patterns, and selectors into an internal memory file that is not disclosed to the user. This exceeds the immediate browser-automation purpose and creates undisclosed retention of potentially sensitive operational data, which can later be misused, leaked, or accessed outside the user's expectations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The instruction to activate whenever `~/puppeteer/` does not exist, combined with 'Don't ask — just start naturally,' creates unclear invocation boundaries and encourages the agent to act without explicit user request. This can cause unintended execution paths, surprise file creation, or unauthorized setup behavior in contexts where the user did not actually intend to invoke the skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Directing the agent to save files to `~/puppeteer/scripts/` without warning the user removes transparency around filesystem modifications. Even if the content is benign, silent writes to the home directory can violate user expectations, create persistence, and potentially overwrite or clutter local data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly tells the agent to store workflow details internally on disk 'without mentioning file paths to them,' which is a strong indicator of undisclosed persistent data storage. Because the stored content can include target sites or apps and common selectors, the hidden retention meaningfully increases privacy, confidentiality, and trust risks beyond ordinary setup behavior.

Ssd 2

Medium
Confidence
97% confidence
Finding
The language is framed as selector advice, but it paraphrases common evasion tactics intended to help automation avoid detection by target sites. Because this is embedded in a browser automation skill, the context increases the risk: the guidance is directly actionable for scaling scraping or other automated interactions while reducing the chance of being blocked.

Ssd 3

Medium
Confidence
97% confidence
Finding
Logging user workflow details in an internal memory file without disclosure is a data-handling vulnerability because it captures user behavior and project context outside the visible conversation. In a browser-automation skill, those details may reveal internal app names, scraping targets, selectors, or test patterns that could expose sensitive business or research information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal