ClawHub

chrome-cdp

Security checks across malware telemetry and agentic risk

Overview

This skill is openly meant to control your live Chrome tabs, including logged-in pages, but it lacks clear safety boundaries and uses unsafe shell command construction.

Install only if you deliberately want an agent to inspect and operate your currently open Chrome tabs. Use a separate Chrome profile with non-sensitive accounts, close private tabs, avoid eval/click/type on sensitive sites, and prefer a version that includes the helper code from a pinned source and replaces shell command concatenation with safe argument passing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The header describes the skill as giving access to already-open Chrome tabs, but the implementation also includes active capabilities such as clicking, typing, navigation, and arbitrary JavaScript evaluation. This mismatch can mislead users or integrators into granting the skill broader trust than warranted, increasing the chance of unintended browser manipulation, data theft, or destructive actions in authenticated sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes automation against an existing Chrome session and demonstrates actions such as navigation, clicking, typing, screenshots, and JavaScript execution without warning that these operations act on the user's live tabs and authenticated state. In a skill context, this can lead users or downstream agents to manipulate logged-in accounts, capture sensitive page content, or disrupt active browsing sessions without informed consent or isolation.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly advertises access to already logged-in Chrome tabs, including sensitive services such as Gmail and GitHub, and the ability to interact with the user's live browsing session. This creates a high-risk capability for unauthorized access to session-bound private data and privileged actions, yet the documentation does not prominently warn about credential, privacy, or account-impact risks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documented commands allow live interaction with open tabs, including clicking, typing, navigation, and arbitrary JavaScript evaluation, which can trigger irreversible state changes such as sending messages, modifying settings, or exfiltrating page data. Because these operations run against the user's active authenticated browser context without strong warnings or safety controls, the skill materially increases the risk of harmful or unauthorized actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest exposes powerful browser-debugging capabilities including navigation, clicking, typing, HTML extraction, JavaScript evaluation, screenshots, and network access, but it does not define any activation boundaries, consent requirements, or task-scoping constraints. In the context of an agent skill that can access already-open Chrome tabs via remote debugging, this ambiguity materially increases the risk of unauthorized browsing actions, data exfiltration, and destructive page interaction if the skill is invoked too broadly or by prompt injection.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These functions can extract sensitive browser-resident data from open tabs, including page HTML, accessibility trees, screenshots, and network details, without any user-facing disclosure, confirmation, or scope restriction. In the context of an already-authenticated browser, this can expose session-bound content such as emails, documents, tokens, account data, or internal applications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The page-interaction and script-execution functions perform impactful actions—clicking elements, typing text, navigating pages, and evaluating arbitrary JavaScript—without any explicit warning, approval flow, or safety boundary. In an authenticated browser session, this enables transaction execution, account changes, malicious navigation, or arbitrary DOM/script-based extraction and manipulation on behalf of the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal