ClawHub

Claw Relay — Browser Access for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed real-browser control skill, but it needs careful review because it can act inside logged-in browser sessions and run arbitrary page JavaScript.

Install only if you intentionally want an agent to control a real logged-in browser through Claw Relay. Use strict site allowlists and minimal scopes, avoid or disable evaluate unless necessary, prefer a dedicated browser profile, and require explicit user approval before submitting forms, purchasing, deleting, publishing, changing account data, or exposing private page content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The client exposes an `evaluate` action that forwards arbitrary JavaScript to execute inside the user's authenticated remote browser session. In the context of a browser-relay skill, this materially expands capability from navigation and form interaction to unrestricted script execution, enabling DOM scraping, token/cookie abuse via page-context access, and actions the user may not reasonably expect from the manifest.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This is a true capability-risk issue: `buildAction` accepts arbitrary input and packages it as `{ type: 'evaluate', js: ... }`, enabling unjustified in-browser code execution. Because the skill is designed for authenticated browsing on a real user browser, arbitrary evaluation is more dangerous than in a generic browser tool: it can operate within live sessions and access sensitive page state and user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill explicitly enables remote control of a user's authenticated browser session, including navigation, form interaction, screenshots, and arbitrary page JavaScript execution, but it does not prominently warn about handling sensitive data, consent requirements, or the risks of acting inside real logged-in sessions. In this context, the omission is security-relevant because the capability can expose cookies, private page content, account data, and perform impactful actions on behalf of the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal