ClawHub

TOKEN SOP

Security checks across malware telemetry and agentic risk

Overview

This skill can automatically replay browser workflows and upload workflow/session details to a cloud service despite privacy-focused local-cache messaging.

Install only if you are comfortable with the skill reading session history, using your browser context, querying a cloud service, and sharing successful workflow traces by default. Before use, disable auto_contribute if possible, restrict the cloud endpoint to one you trust, avoid sensitive financial/admin/internal sites, and require human review before cached workflows perform state-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill markets itself as local-only, offline-capable, and privacy-safe, but the default configuration enables automatic contribution to a remote cloud endpoint. This is dangerous because users may reasonably believe sensitive workflows remain local while the skill can upload them externally without clear, informed consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document makes strong privacy and offline assurances, yet the configuration contradicts those claims by enabling cloud contribution by default. This mismatch increases the likelihood of unintended data disclosure because users are misled about the actual behavior of the skill.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The client sends arbitrary contributed data plus a node identifier to a remote API endpoint, but this file shows no validation, minimization, consent flow, or restriction on what may be transmitted. In a skill context, this creates a real exfiltration channel for user or environment data if upstream callers pass sensitive content, and the lack of documented purpose increases concern.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The failure-reporting path uploads detailed execution metadata and a DOM snapshot to a remote feedback endpoint. DOM snapshots can contain credentials, session tokens, personal data, page contents, and internal application state, so sending them off-box without strict controls is a significant data-exposure risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments and design claim this sanitizer strips all identifiable information before data leaves the node, but the implementation only covers a narrow set of regexes and a fixed list of field names. This creates a dangerous false sense of privacy: many forms of PII or secrets (for example names in free text, account IDs, passport numbers, auth headers, nested objects, arrays, or non-matching token formats) can pass through unsanitized and be exfiltrated.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file-level comment asserts this sanitizer strips all identifiable information before data leaves the node, but the implementation only handles a narrow set of regexes and a fixed list of field names. Many common PII forms and nested/structured values can pass through unchanged, creating a dangerous false sense of privacy control at a critical trust boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that the skill queries a cloud service and contributes successful session traces, but it does not warn users that workflow or session-derived data may leave the local environment. In a tool that advertises local privacy features, this omission can mislead users about data handling and create privacy, compliance, and consent risks if sensitive prompts, traces, or metadata are transmitted externally.

Missing User Warnings

High
Confidence
95% confidence
Finding
The configuration exposes an automatic cloud contribution feature and a remote API endpoint, but the documentation does not clearly warn that local workflows may be transmitted off-device. If workflows contain prompts, credentials, internal procedures, or sensitive business context, automatic upload can cause privacy, compliance, and confidentiality breaches.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client interface explicitly supports transmitting sensitive browsing-related data including URL, workflow traces, and optional DOM snapshots to a remote API. In an agent skill context, DOM snapshots and trace data can contain secrets, tokens, personal data, or internal application state, and this declaration provides no indication of minimization, redaction, consent, or access controls, making inadvertent data exfiltration a realistic risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code performs outbound network transmission of data with no visible user-facing notice, consent, or explanation in the file. While disclosure may exist elsewhere, from this file alone the behavior is silent, which is risky for an agent skill that may process user or system-derived information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code silently sends DOM snapshot data during failure reporting without any visible warning or contextual justification. Because DOM captures can include highly sensitive page data, the absence of transparency and controls materially increases privacy and security risk in this skill context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The entry point documentation explicitly states that the skill queries the cloud on every user intent and contributes new workflows after sessions, indicating network data transfer and likely telemetry or content upload. Because there is no mention of user notice, consent, scope limitation, or data handling controls, this creates a real privacy and security concern: user prompts, intents, or session-derived workflows could be sent off-device unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The interceptor description explicitly states it will query a cloud service on local misses and contribute successful session traces back to the cloud, but there is no indication of user notice, consent, redaction, or controls around what data is transmitted. Because intents and session traces can contain sensitive credentials, personal data, or operational context, silent exfiltration to a remote service creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The interceptor sends normalized user intent, current URL, DOM skeleton hash, and node metadata to a cloud service during routine intent handling, with no evidence of explicit user consent, notice, minimization, or opt-in at the point of transfer. This can expose sensitive browsing context, internal URLs, or task content to a remote party and is especially risky because it occurs automatically on every cloud lookup path.

Missing User Warnings

High
Confidence
98% confidence
Finding
The session-completion hook automatically contributes session-derived workflow data, including intent, URL, DOM hash, workflow, and session metadata, to the cloud when enabled, without any user-facing warning or confirmation. Because workflows are compiled from user actions, they may capture sensitive navigation patterns, internal application structure, or secrets embedded in recorded steps, creating a meaningful data exfiltration risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command builder interpolates sanitized action argument values directly into workflow command strings without robust escaping or structured serialization. If sanitization is incomplete, sensitive values may be persisted into reusable workflows, and specially crafted values could alter command parsing or cause unintended behavior when the workflow is later executed.

Missing User Warnings

High
Confidence
94% confidence
Finding
The manifest enables automatic contribution of successful workflows to a cloud endpoint by default, but the user-facing description does not clearly disclose that workflow data may be transmitted off-device. Because the skill also advertises caching and token savings, users may reasonably assume local optimization rather than cloud sharing, creating a significant consent and privacy gap.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill requests both network access and session-history related permissions, which together can expose sensitive conversation or workflow content to remote services. The manifest and description do not adequately explain the privacy implications of these capabilities, reducing informed consent and increasing the risk of covert or over-broad data access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends normalized user intent, the current URL, a DOM skeleton hash, and a node identifier to a remote cloud service on every local-cache miss, but this file shows no consent gate, notice, minimization, or policy enforcement before transmission. In an agent/browser-automation context, those fields can reveal browsing targets, user goals, and page structure metadata, creating privacy and data-governance risk if sensitive sessions are processed or the cloud service is compromised.

Missing User Warnings

High
Confidence
97% confidence
Finding
The session-completion hook automatically compiles successful user sessions into workflows and uploads them to the cloud when auto_contribute is enabled, with no user-facing approval flow in this code. Because workflows are derived from real actions and are sent together with intent, URL, DOM hash, and session ID, they may capture sensitive business processes, internal app structure, or user behavior patterns, making this more serious than the match request path.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code converts previously recorded browser actions directly into executable workflow steps and returns a replayable workflow without any confirmation, provenance marker, or user-facing disclosure that historical actions will later be re-executed. If the original trace contains sensitive navigations or state-changing actions, a user may unknowingly replay them in a new context, causing unintended clicks, form submissions, or data access under their current authenticated session.

Ssd 3

Medium
Confidence
97% confidence
Finding
Compiling full action history into a reusable workflow and uploading it to the cloud can disclose user-provided inputs and interaction sequences in a form that is more revealing than raw telemetry alone. In this skill's context, the feature is designed for cross-node sharing and replay of browser automation, which makes accidental leakage of credentials, internal workflows, or business-sensitive procedures more dangerous because the uploaded artifact is directly reusable.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal