ClawHub
Back to skill

Security audit

Live Web Page Browser

Security checks across malware telemetry and agentic risk

Overview

This is a coherent remote webpage-fetching skill, but users should avoid sending sensitive URLs or authenticated pages through it.

Install only if you are comfortable using AgentPMT as a remote browsing service. Do not submit private intranet URLs, authenticated pages, account secrets, wallet keys, payment headers, or sensitive page screenshots unless you have explicit approval and understand where the request will be processed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation keywords are broad enough to match many ordinary research or browsing requests, which can cause the agent to invoke this remote web-fetching skill when the user did not explicitly intend external browsing. In this context, over-triggering is risky because the skill sends requests to external infrastructure and can access live web content, increasing the chance of unintended data disclosure or unreviewed outbound actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises live webpage fetching and screenshot capture but does not prominently warn that requested URLs, page contents, and possibly sensitive browsing targets will be transmitted to an external service. That omission is dangerous because users and downstream agents may treat the capability like a local browser rather than a remote third-party data transfer and visual capture tool.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal