ClawHub

WSL Chrome CDP

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent WSL2-to-Windows Chrome automation helper, but its Chrome debugging access should be treated as sensitive.

Install only on a trusted Windows + WSL2 machine. Use the separate debug Chrome profile for automation, keep port 9222 restricted to localhost or trusted WSL access, avoid broad firewall exposure, verify any PID before using taskkill, and close the debug Chrome session when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README prominently advertises seamless and fully automatic control of a live Windows Chrome instance from WSL without warning that automation may interact with the user's existing browser profile, tabs, cookies, authenticated sessions, and visible data. In this context, the absence of disclosure is security-relevant because users may authorize actions without realizing the skill can operate on sensitive active sessions and affect real browsing state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage examples include screenshots, clicking login buttons, filling forms, and extracting page content, all of which are privacy- and account-sensitive browser actions, yet the README provides no caution about consent, sensitive data exposure, or unintended interaction with authenticated sessions. Because this skill is specifically for remote browser control via CDP, these examples normalize potentially invasive actions without safety boundaries, increasing the risk of misuse or user surprise.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation examples are generic browser requests like '打开百度', '访问 GitHub', and '帮我截图', which overlap with ordinary user intents rather than clearly signaling use of this specific skill. That increases the chance the skill auto-triggers unexpectedly and performs browser-control setup or process-launch actions when a user only intended normal browsing, reducing transparency and informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises fully automatic detection, Chrome launch in remote debugging mode, and CDP connection setup without prominently warning that it will start processes and expose a browser debugging interface. Remote debugging can grant powerful control over the browser session, so silently enabling it changes system and security state in a way users may not expect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The example invocation phrase uses a very common everyday command ('打开百度' / 'open Baidu'), which is broad enough to overlap with normal user conversation. In a voice- or chat-triggered skill environment, this can cause accidental invocation of the skill and unintended execution of its entry script, which is more sensitive here because the manifest grants script execution and configuration write permissions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting guide instructs users to run `taskkill /F /PID <PID>` to forcibly terminate a process, but it does not warn that `/F` force-kills the target and can cause data loss, interrupt unrelated applications, or terminate the wrong process if the PID is misidentified. In a user-facing skill document, this omission creates a meaningful safety risk even if the intent is ordinary troubleshooting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document tells users to add a Windows inbound firewall rule allowing TCP port 9222 without explaining the security implications of exposing Chrome DevTools Protocol access. CDP can provide powerful browser control, and opening firewall access without scope restrictions or warnings can expand the attack surface, especially if the rule is broader than localhost-only access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically launches Chrome with the DevTools remote debugging interface enabled on port 9222 and creates/uses a writable profile directory, but provides no warning, consent prompt, or binding restriction. Chrome DevTools Protocol can expose browser state, cookies, tabs, and automation control; if the port is reachable from another process or host in the WSL/Windows environment, an attacker may be able to drive the browser or access sensitive session data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal