AutoClaw Browser Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is a real browser automation tool, but it gives an agent persistent full-browser control with weak authentication and broad local access.

Review carefully before installing. Only use this if you intentionally want an agent to control authenticated browser tabs. Set a unique token, disable auto-attach-all, run the MCP server only while needed, avoid sensitive tabs, and treat cookies/storage, screenshots, JavaScript execution, bookmark deletion, login-session restore, cloud API keys, and bridge calls as high-risk operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (34)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The README advertises powerful browser-control features including JavaScript execution, cookie access, and login-state manipulation without defining a narrowly scoped purpose or trust boundary. In an AI-driven skill, these capabilities materially increase the chance of credential theft, session hijacking, or abuse of authenticated browser state if invoked broadly or prompted indirectly.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Operation recording/playback and reusable workflow automation expand the skill from interactive assistance into repeatable browser automation, which can amplify mistakes or abusive actions across many pages or accounts. Without strong limits, these features can be used to automate account actions, bulk interactions, or other unintended behavior at scale.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The README publicly exposes a built-in authentication token, which is a direct secret disclosure. If the token is valid, anyone with access to the documentation may be able to connect to or impersonate the MCP service, enabling unauthorized browser control or access to sensitive browser state.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill exposes bookmark creation, modification, movement, and deletion capabilities that are broader than ordinary page automation and can alter persistent user browser data. In an agent-controlled context, this can be abused to destroy bookmarks, insert phishing links, or silently tamper with browser state beyond the active page.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Cookie and storage access enables reading and writing sensitive session material, authentication state, and site data across origins. In a browser automation skill, these capabilities materially increase the risk of account takeover, session hijacking, privacy loss, and stealthy persistence if misused by an agent or compromised component.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Arbitrary JavaScript execution in the page context allows unrestricted interaction with DOM, page data, tokens accessible to scripts, and browser-exposed application logic. This bypasses safer high-level automation primitives and can be used to exfiltrate sensitive data, alter workflows, or perform unintended actions on any visited site.

Intent-Code Divergence

Low

Confidence: 98% confidence
Finding: The documentation embeds a built-in authorization token while stating a custom token is optional, which implies deployments may share a static secret. A hardcoded credential is easily copied from documentation and can allow unauthorized local or adjacent-process access to the MCP service if network exposure or local compromise occurs.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The extension presents an integrity/authenticity verification flow, but `verifyIntegrity()` only checks whether `chrome.runtime.getManifest()` returns a manifest, which will be true for essentially any installed extension. This creates a false sense of security and can mislead users into trusting tampered or repackaged builds, especially because the result gates privileged actions like `authorizeAndAttachAll`.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: `isAuthValid()` unconditionally returns `true` despite comments and surrounding logic implying an authorization check. As a result, all privileged behaviors—automatic connection, tab attachment, debugger control, and startup automation—are effectively always authorized, removing any meaningful access control from a highly sensitive browser-automation extension.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The options UI explicitly advertises that an AI agent can gain full control over all browser tabs, including reading page content, filling forms, clicking elements, and executing JavaScript. In a browser extension context, this is a highly sensitive capability set that can expose credentials, session data, and user activity; the warning text acknowledges risk but does not meaningfully constrain or justify the access.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The bookmark classification feature introduces optional cloud/database access and API key handling, which creates a path for bookmark metadata or visited-page-derived information to be transmitted to external services. In a browser automation tool, bookmarks can reveal sensitive interests, internal resources, or work systems, so externalizing this data without clear data minimization, privacy guarantees, or purpose limitation is risky.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The helper claims to avoid exposing real system paths, but it only strips prefixes matching an autoclaw path. Any other absolute path is returned unchanged, which can leak host filesystem locations in errors or logs. In a browser-automation server that handles file paths and exports, path disclosure increases reconnaissance value for follow-on attacks.

Intent-Code Divergence

Low

Confidence: 87% confidence
Finding: The supposedly concise page-structure summary includes current input values, which may capture sensitive user-entered data such as search queries, emails, or partially typed secrets. For an AI-facing automation tool, returning input values broadens data exposure beyond structural page understanding.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The bridge tool spawns a local CLI subprocess from tool input, giving the skill a broad local-execution capability unrelated to ordinary browser control. Even if intended for integration, this materially expands the trust boundary and can let an agent trigger sensitive local actions through the installed CLI environment.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill description says it only batch-opens webpages and saves screenshots, but the workflow also extracts page structure, links, and buttons. This creates a scope mismatch that can expose additional page metadata or aid downstream scraping/automation without the user's informed understanding.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The top-level parameters suggest batch processing of multiple URLs, but the actual workflow hardcodes only one URL. This discrepancy can mislead operators about what inputs are honored, weaken reviewability, and hide real behavior behind seemingly broader but unused configuration.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The changelog publicly exposes a concrete built-in token value, which is a credential disclosure issue even if labeled as 'built-in.' Anyone with access to this documentation may be able to authenticate to the MCP server or impersonate trusted clients where that token is accepted, enabling unauthorized browser control or access to sensitive browsing data.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The README describes broad natural-language activation such as 'just speak' for sensitive browser actions, but does not define invocation boundaries, approval steps, or disambiguation rules. In an agent setting, ambiguous activation increases the risk of unintended execution of login, navigation, or state-changing actions from casual or indirect prompts.

Vague Triggers

Low

Confidence: 67% confidence
Finding: The repeated 'just speak' and similar phrasing makes the control model sound more permissive than it should be, which can mislead users about when the skill will act. While largely a documentation issue, ambiguous messaging around activation can contribute to unsafe assumptions and accidental triggering of browser actions.

Missing User Warnings

High

Confidence: 87% confidence
Finding: The README highlights sensitive actions such as logging into websites, taking screenshots, and manipulating browser state without warning users about privacy, credential exposure, or account-impact risks. In a browser-control skill, omission of these warnings is dangerous because users may unknowingly authorize actions affecting authenticated sessions and personal data.

Missing User Warnings

High

Confidence: 93% confidence
Finding: Listing cookie and localStorage read/write capabilities without any disclosure of their sensitivity normalizes direct access to session material and stored secrets. In context, these capabilities can expose authentication tokens, persist malicious state, or hijack user sessions if misused by the agent or an unauthorized caller.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The README promotes automation workflows and bulk actions such as auto-like, sign-in, and form fill without cautioning that repeated or replayed actions can cause unintended submissions, policy violations, or other irreversible effects. This is more dangerous in an AI/browser automation context because one mistaken workflow can be replayed consistently and at scale.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises access to screenshots, page content, cookies, storage, bookmarks, and saved login sessions without any prominent privacy warning, consent model, or data-handling explanation. Because these features touch highly sensitive browser data, omission of user warnings increases the likelihood of silent collection, over-broad access, and unsafe deployment.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation lists destructive operations such as closing tabs, deleting bookmarks and folders, and modifying storage without warning about data loss, session breakage, or unintended browser-state corruption. In an automated agent setting, lack of safeguards can turn ordinary mistakes into irreversible user-impacting actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: A built-in token is hardcoded in source and later stored automatically on install, which means every copy of the extension may share a reusable secret. Shared embedded credentials are easily extracted from extension code and can enable unauthorized access to the local gateway or any service that trusts the token.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal