ClawHub

Fetch Archive to Lexiang

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real archiving skill, but it needs Review because it can reuse browser sessions and cookies and send archived content to external services without strong consent boundaries.

Install only with the expectation that the skill may access your logged-in Chrome sessions, use cookies for paid or private sites, send article/transcript/PDF text to cloud AI providers, and upload copies to Lexiang/Tencent-backed storage. Prefer an isolated browser profile, disable cookie/CDP modes unless needed, avoid sensitive accounts or confidential documents, use environment variables instead of CLI token arguments, and confirm each translation or upload destination before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# On macOS, cookies are encrypted. We need to decrypt them.
        # Get the Chrome Safe Storage key from Keychain
        try:
            result = subprocess.run(
                [
                    "security",
                    "find-generic-password",
Confidence
99% confidence
Finding
result = subprocess.run( [ "security", "find-generic-password", "-s", "Chrome Safe Storage",

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The function explicitly extracts cookies from Chrome's database and decrypts them using the Keychain-derived secret, then repackages them for browser automation. This is classic session hijacking behavior: possession of those cookies can grant access to paid content and authenticated accounts without the user's explicit per-site consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The module advertises attaching to the user's real Chrome over CDP specifically to bypass anti-automation and Cloudflare protections while inheriting the full login state. That creates a powerful mechanism to act as the user against protected services and intentionally defeats access controls rather than simply fetching public content.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The docstring openly states the tool 'completely bypasses' Google and Cloudflare anti-automation detection. That is a strong indicator the implementation is designed to evade service protections, which increases the likelihood of deliberate abuse and can facilitate unauthorized access workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes accessing paid or login-walled content via Chrome cookie injection and CDP mode, but does not warn users about the sensitivity of authenticated session data, consent boundaries, or privacy/legal implications. In an agent context, this can normalize handling live browser sessions and cookies in ways that expose account access, subscription-only content, or personal data far beyond what a user intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README tells users the agent will automatically clone the repository, install dependencies, and perform initial configuration, but does not clearly warn that this causes code execution and system modification. In agent environments, silent installation behavior increases supply-chain and local-environment risk because users may not realize external code and packages are being fetched and run.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger keywords are broad enough to activate this highly privileged skill for ordinary conversations unrelated to archiving. Because the skill can read local files, use browser login state, download protected content, and upload data to external services, accidental invocation materially raises the chance of unintended collection and transmission.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script accesses Chrome cookies and the Keychain without an explicit consent checkpoint at the time of execution. Even if the broader tool is user-invoked, silently harvesting browser session material is dangerous because users may not understand they are authorizing extraction of reusable credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
This code copies the user's real Chrome cookie database into a separate CDP profile automatically and without an explicit warning. Duplicating session stores broadens the exposure of authenticated data and makes session replay or accidental leakage more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits full Markdown content to an external LLM API without any user confirmation, warning, or data classification check. In this skill context, the tool handles archived articles, paywalled content, transcripts, and other potentially sensitive material, so silent exfiltration to a third party creates privacy, compliance, and contractual risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script defaults to extracting cookies from the local Chrome profile and sending them to yt-dlp for requests, which can use sensitive authenticated session material without a strong user warning or explicit opt-in. In this skill's context, the stated goal includes bypassing login/paywalls, which makes silent credential use materially more dangerous and privacy-sensitive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Transcript paragraphs are sent to the OpenAI API for translation, but the script does not clearly warn that potentially private or copyrighted content will be transmitted to a third-party service. Because this tool is designed to process paywalled/login-gated media, the privacy and compliance implications are higher than for generic public content.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to persist arbitrary user-provided evaluation text to temporary files and inject it into documents without any sensitivity review. This can leak secrets, personal data, internal assessments, or regulated content into local storage and onward into the external knowledge base, especially because the text may contain confidential business commentary the user did not intend to archive verbatim.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal