ClawHub

Smooth Browser

Security checks across malware telemetry and agentic risk

Overview

This is a coherent browser automation skill, but it needs review because it can reuse logged-in browser sessions and perform broad web/account actions without clear safety checkpoints.

Install only if you are comfortable delegating browsing to Smooth as an external automation service. Use separate profiles per site/account, prefer anonymous or read-only profiles for scraping, use allowed URL restrictions, avoid putting passwords or MFA codes in prompts/metadata, and require explicit approval before login reuse, posting, purchases, settings changes, billing access, downloads, JavaScript execution on authenticated pages, or deleting profiles/files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly exposes arbitrary JavaScript execution in a live browser session via `smooth evaluate-js`. In an agent skill whose purpose is broad web automation, this materially expands power beyond ordinary navigation and scraping: injected JS can read/modify page DOM, access in-page tokens/data, trigger state-changing actions, and bypass higher-level guardrails the natural-language interface might otherwise impose.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest description uses very broad trigger phrases like 'any task on the web' and common actions such as 'log into' or 'scrape', making over-invocation likely for routine requests. Overly broad routing increases the chance that a high-capability browser automation skill is selected when a lower-risk tool would suffice, exposing users to unnecessary session persistence, website interaction, and account-impacting behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The profile feature is designed to persist cookies, login sessions, and browser state, but the documentation does not warn about privacy, cross-task data leakage, or risks from reusing authenticated sessions. In an agent context, persisted sessions can silently carry privileged access into later tasks or across websites/users if profile hygiene is poor.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples encourage passing user information and login-related data through task metadata and task prompts without any prominent warning about secrets handling, minimization, or redaction. That can normalize unsafe transfer of credentials and personal data into automation flows, increasing the likelihood of exposure in logs, prompts, browser sessions, or third-party services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reuse guidance encourages retaining authenticated profiles and then performing account actions like creating repository issues, but it omits warnings that these sessions may perform irreversible or sensitive actions on behalf of the user. Persistent authenticated browser state substantially raises the risk of unintended account modifications, data access, or abuse if the wrong task/profile is reused.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation combines file download support and arbitrary browser-side JavaScript execution without clearly describing integrity, privacy, and security risks. Together these capabilities can extract sensitive content, manipulate page behavior, and produce untrusted downloaded artifacts, which is especially risky in a broadly-invoked autonomous browser skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal