ClawHub

webpage-reader-skill

Security checks across malware telemetry and agentic risk

Overview

This webpage reader mostly matches its stated purpose, but it can automatically modify the host by installing Chrome and runs user-supplied URLs in headless Chrome without clear safety controls.

Review before installing. Use only if you are comfortable with a skill that may try to install Chrome and contact any URL provided to it. Prefer manually installing Chrome first, avoid running the skill with elevated privileges, and do not use it on localhost, internal network services, cloud metadata addresses, signed-in sensitive pages, or untrusted URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.info(f"Running Chrome command: {' '.join(chrome_cmd)}")
        
        # Execute the command and capture output
        result = subprocess.run(
            chrome_cmd,
            capture_output=True,
            text=True,
Confidence
93% confidence
Finding
result = subprocess.run( chrome_cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif system == 'Darwin':  # macOS
            # macOS installation using Homebrew
            try:
                subprocess.run(['brew', 'install', 'google-chrome'], check=True)
                return True
            except subprocess.CalledProcessError:
                logger.error("Homebrew not found. Please install Homebrew first or manually install Chrome.")
Confidence
91% confidence
Finding
subprocess.run(['brew', 'install', 'google-chrome'], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
distro = platform.dist()[0].lower() if hasattr(platform, 'dist') else 'unknown'
            
            if 'ubuntu' in distro or 'debian' in distro:
                subprocess.run(['sudo', 'apt-get', 'update'], check=True)
                subprocess.run(['sudo', 'apt-get', 'install', '-y', 'google-chrome-stable'], check=True)
                return True
            elif 'fedora' in distro or 'centos' in distro or 'rhel' in distro:
Confidence
95% confidence
Finding
subprocess.run(['sudo', 'apt-get', 'update'], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if 'ubuntu' in distro or 'debian' in distro:
                subprocess.run(['sudo', 'apt-get', 'update'], check=True)
                subprocess.run(['sudo', 'apt-get', 'install', '-y', 'google-chrome-stable'], check=True)
                return True
            elif 'fedora' in distro or 'centos' in distro or 'rhel' in distro:
                subprocess.run(['sudo', 'dnf', 'install', '-y', 'google-chrome-stable'], check=True)
Confidence
95% confidence
Finding
subprocess.run(['sudo', 'apt-get', 'install', '-y', 'google-chrome-stable'], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run(['sudo', 'apt-get', 'install', '-y', 'google-chrome-stable'], check=True)
                return True
            elif 'fedora' in distro or 'centos' in distro or 'rhel' in distro:
                subprocess.run(['sudo', 'dnf', 'install', '-y', 'google-chrome-stable'], check=True)
                return True
            else:
                logger.error("Unsupported Linux distribution. Please manually install Chrome.")
Confidence
94% confidence
Finding
subprocess.run(['sudo', 'dnf', 'install', '-y', 'google-chrome-stable'], check=True)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module is presented as a webpage downloader, but it also attempts to install Chrome on the host. That mismatch is security-relevant because users and orchestrators may grant it permissions appropriate for network retrieval, not for system modification and privileged package operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that the skill may automatically install Chrome if it is missing and download webpage content, but it does not clearly warn users that this can modify the local system and initiate outbound network access. In an agent skill context, undisclosed package installation and remote fetching expand the attack surface and can surprise users or administrators who expect read-only behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises automatic Chrome installation and webpage downloading, which implies system modification and outbound network activity, but it does not clearly warn users about those behaviors, their prerequisites, or their security/privacy implications. In an agent skill context, unclear disclosure is risky because users may invoke the skill expecting passive webpage reading while it may install software or make network requests on their behalf.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documentation states it may automatically install Google Chrome if missing, which implies modifying the host system, but it does not clearly warn users about package installation, required privileges, network access, or trust implications. In an agent skill context, silent or poorly disclosed software installation increases the risk of unexpected system changes and expands the attack surface if the installation path or package source is later abused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly downloads arbitrary webpages via a headless browser, but its description does not warn users that it performs live network access to third-party URLs or that request metadata such as IP address, headers, and browser fingerprinting data may be exposed to external sites. This can mislead users about the privacy and security implications of invoking the skill, especially in agentic contexts where URLs may come from untrusted sources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill can trigger automatic installation and privileged subprocess execution without any explicit user-facing warning or consent flow. In an agent setting, silent host modification is dangerous because operators may not expect a content-fetching utility to invoke sudo or alter installed software.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal