ClawHub

Pinchtab Helper

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser-automation skill, but it needs review because broad activation plus live browser control could let an agent navigate, click, type, or submit data with unclear confirmation boundaries.

Install only if you intentionally want an agent to control a browser. Use a separate browser profile or test accounts where possible, review each action before submitting forms or making account changes, and avoid providing credentials or sensitive data unless you trust the publisher and can revoke access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match ordinary requests like opening a browser, visiting a site, or searching the web, which can cause the skill to activate in situations the user did not specifically intend. In a browser-control skill, over-broad activation increases the chance of unintended navigation and interaction with external sites, potentially leading to data exposure or unsafe actions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill provides concrete navigation, clicking, form-filling, and submission actions but does not warn that these operations can affect user accounts, submit data to third-party sites, or trigger irreversible actions. In the context of a browser-control tool, omission of these warnings makes unsafe use more likely because the documented workflow normalizes direct interaction with live websites.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger list is very broad and matches common user intents such as opening a browser, browsing the web, searching, or visiting sites. That can cause the skill to activate for many ordinary requests and hand browser control to the skill unexpectedly, increasing the chance of unauthorized navigation, data exposure, or unsafe automation actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal