Back to skill

Security audit

Auto Login

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for auto-login, but it sends and stores full-page login screenshots and can submit forms automatically without tight controls.

Review carefully before installing. Use only on sites where automation is allowed, avoid pages showing passwords, personal, financial, or confidential data, configure only a trusted vision API endpoint, prefer skip-fill or skip-submit modes when possible, and delete generated screenshots from the OpenClaw workspace after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill advertises local OCR-first but in practice skips local OCR and always sends full-page screenshots to a remote vision API. This is dangerous because users may reasonably expect data to stay local, while the actual behavior transmits potentially sensitive page contents off-host, increasing privacy and data exposure risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
该模块名义上是“验证码识别”,但在 recognizeFromPage 中不仅识别,还会自动定位输入框、填写验证码并尝试点击通用提交/登录按钮。这种能力扩展使调用方或用户更难预期其实际副作用,可能在访问任意页面时触发非预期的表单提交、登录、注册或状态变更。

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
文件内置独立 CLI,可根据外部传入的 URL 启动浏览器访问任意页面,并结合后续截图、识别、填写和点击逻辑形成完整的远程网页交互链路。这超出了单纯验证码识别所必需的最小权限边界,若被误用或嵌入自动化流程,可对任意站点执行未充分审查的自动操作。

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill heuristically clicks likely submit/validate/login buttons without user confirmation, based on broad text, accessibility, and positional heuristics. On arbitrary sites this can trigger unintended actions such as form submission, login attempts, account state changes, or interaction with sensitive workflows, especially because the skill is designed to operate on untrusted pages.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code saves full-page screenshots of visited pages to disk in a workspace directory, including before/after/error states, without a clear warning that local copies will persist. Those screenshots can contain credentials, personal data, session information, or internal application content, creating local data retention and disclosure risk beyond the remote API exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
代码会对整个页面进行 fullPage 截图并写入 ~/.openclaw/workspace,截图可能包含账号、个人信息、会话内容或其他敏感页面数据,但执行路径中没有任何面向用户的提示、最小化采集或保留策略。对于登录页场景,这种落盘行为尤其容易造成本地敏感信息残留和二次泄露。

Missing User Warnings

High
Confidence
98% confidence
Finding
模块会将页面截图编码后发送到远程视觉 API,且支持用户自定义兼容 OpenAI 的任意 baseUrl,这意味着整页可见信息可能被传输到第三方或不受信任的服务。由于代码路径中没有显式告知、确认、脱敏或域名限制,这构成明显的敏感数据外传风险。

Missing User Warnings

High
Confidence
97% confidence
Finding
代码会自动向推断出的输入框填入内容,并自动点击推断出的提交/登录按钮,且没有用户确认或精确作用域限制。由于按钮与输入框识别依赖启发式规则,误识别时可能触发登录、注册、提交表单、验证操作或其他站点状态变更,风险高于单纯页面读取。

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Accepting secrets via a command-line flag is risky because API keys are often exposed through shell history, process listings, audit logs, CI logs, or system monitoring tools. In a skill that may run in shared environments or agent frameworks, this increases the chance of credential disclosure and reuse against the vision API account.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "Lie Troksky and Athena",
  "license": "MIT",
  "dependencies": {
    "playwright-core": "^1.40.0",
    "tesseract.js": "^5.0.0"
  },
  "scripts": {
Confidence
88% confidence
Finding
"playwright-core": "^1.40.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "playwright-core": "^1.40.0",
    "tesseract.js": "^5.0.0"
  },
  "scripts": {
    "test": "node index.mjs",
Confidence
88% confidence
Finding
"tesseract.js": "^5.0.0"

VirusTotal

VirusTotal findings are pending for this skill version.