ClawHub

FounderClaw

Security checks across malware telemetry and agentic risk

Overview

FounderClaw is a real multi-agent engineering toolkit, but it installs broad browser, cookie, local-agent, and configuration-changing capabilities that need careful review before use.

Install only if you are comfortable granting FounderClaw broad local automation authority. Treat cookie import as access to your real logged-in accounts, avoid it on shared machines, review the daemon and extension behavior, and back up or avoid local modifications in the FounderClaw install directory before using upgrade/install commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (154)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The architecture describes substantial hidden capabilities beyond the manifest description, including a persistent localhost browser-control daemon and browser automation stack. This is dangerous because users may grant or install the skill expecting only a multi-agent engineering workflow, while the skill actually introduces a long-lived local service that can browse, retain session state, and interact with browser data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented ability to access Chromium cookie databases and decrypt/import cookies is a sensitive credential-handling capability that is not reflected in the high-level manifest description. Undisclosed credential access materially increases risk because users cannot make an informed trust decision before enabling the skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Reading Chromium cookie databases, invoking macOS Keychain, decrypting cookies in-process, and caching derived keys in memory creates direct access to authenticated web sessions. Even if intended for convenience, this is dangerous because compromise or misuse of the daemon could expose session tokens and allow account takeover across websites.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The preamble introduces session tracking and contributor logging behavior that writes telemetry-like artifacts to the filesystem outside the manifest's stated purpose. While not as severe as credential access, undisclosed persistence and local behavior logging can leak usage patterns, project metadata, or user activity across sessions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims to be read-only, but its instructions explicitly direct writing a baseline file and benchmark reports to disk. That mismatch can mislead users and higher-level agents into permitting filesystem modifications they did not intend, which undermines trust and can cause unintended state changes in the workspace.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This module is explicitly designed to locate, decrypt, and return real Chromium browser cookies by reading browser databases and deriving decryption keys from macOS Keychain or Linux libsecret. That is credential/session-token extraction capability, which is far broader than the declared 'multi-agent engineering team' purpose and could enable account hijacking if exposed to an agent or user workflow.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code spawns system commands to query macOS Keychain and Linux secret stores in order to derive browser encryption keys and decrypt cookies. Accessing OS credential stores from an engineering assistant is highly sensitive behavior and materially increases the risk of covert credential theft and session replay.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file explicitly states these routes are unauthenticated because they are assumed to be localhost-only, but the handler does not verify the request origin, host, or client address. If the server is ever bound beyond loopback, proxied, or exposed through port-forwarding/container networking, a remote party could enumerate browsers/profiles/domains and import or remove decrypted browser cookies from the Playwright session.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The `inbox` command reaches outside browser automation and reads files from the local Git workspace's `.context/sidebar-inbox` directory, exposing project-local data that may contain sensitive user messages, URLs, or workflow context. Because it can also clear those files with `--clear`, the command expands the skill's authority into local filesystem access and destructive modification unrelated to ordinary browsing, which increases the risk of data exposure and tampering in a multi-agent environment.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module header explicitly frames these commands as having 'no side effects', but several commands mutate browser or tool state: `js`/`eval` can run arbitrary DOM-changing code, `storage set` writes to localStorage, and `--clear` variants erase buffers. This mismatch is dangerous because downstream agents or users may grant broader trust to a supposedly read-only interface and inadvertently trigger state changes or destructive actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `js` and `eval` commands execute arbitrary JavaScript in the page context, which allows modification of the DOM, storage, network-triggering fetches/XHRs, and interaction with page-resident secrets accessible to that origin. In a browsing skill presented as read-oriented, this effectively grants code-execution capability over visited sites and can be abused to alter application state or exfiltrate sensitive data.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`storage set` writes directly to `localStorage`, contradicting the file's read-only semantics and enabling mutation of application state for the active origin. This can change authentication/session behavior, feature flags, or app configuration in ways that are invisible to users expecting passive inspection.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The sidebar bridge queues prompts for a general Claude subprocess with Bash, Read, Glob, and Grep privileges, giving natural-language input a path to arbitrary local command execution and filesystem access. In a browser-assistant context, untrusted web content or sidebar messages can influence the agent, so this becomes a dangerous capability-escalation boundary rather than a harmless helper feature.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The unauthenticated /health endpoint returns the live bearer token that protects all privileged routes, which completely defeats the authentication model. Any local process—and potentially a malicious website via localhost requests if browser/network policy permits—can fetch the token and then drive browser commands, access sidebar data, kill agents, or post agent events as an authenticated caller.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file header says the agent polls a queue, spawns Claude, and relays events, but the implementation also persists queue message contents into a git repository under .context/sidebar-inbox. That is a real security/privacy issue because queued sidebar messages may contain sensitive prompts, URLs, or session context, and this side effect is undocumented, expands the data-retention surface, and may expose data to other repo tools, commits, or agents.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The sidebar agent performs git-root discovery and writes observation files into the current repository, which is outside its stated queue-polling/event-relay role. In this skill context, that is more dangerous because the broader system is a multi-agent engineering environment, so dropping files into a shared repo-scoped .context directory can trigger downstream automation, leak user content across agents, or create hidden persistent state that influences later runs.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `cookie-import-browser` command expands a page-interaction tool into a credential-harvesting capability by reading cookies from installed local browsers and injecting them into the automation context. Browser cookies often contain active session tokens, so this can enable account takeover or cross-account impersonation if an agent is induced to import cookies for sensitive domains.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
Launching a local picker UI via `Bun.spawn(['open', pickerUrl])` gives this command handler an additional subprocess-execution capability unrelated to ordinary page writes. Even though the URL is localhost, spawning local applications increases attack surface and can create unexpected side effects in environments where the skill should only control the browser page.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill declares itself "Read-only" but also instructs writing JSONL monitoring entries and updating baseline screenshots and metadata. That mismatch can cause an agent or user to permit filesystem changes under a false safety assumption, which is a real integrity and trust-boundary issue even if the writes are operational rather than overtly malicious.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs opening a local HTML file in the user's browser and sending a POST request to a localhost service to reload content. Even though localhost is not an external host, this expands the skill from document generation into active browser and local service manipulation, which can affect other local tooling or be abused if the target service exposes more than the expected reload API.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill modifies CLAUDE.md in addition to producing DESIGN.md, which changes persistent agent behavior for future tasks. This is risky because it creates hidden, repo-level instruction drift beyond the user-visible deliverable and can influence subsequent operations without clear disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest states that the skill creates DESIGN.md, but the body also directs modification of CLAUDE.md with future enforcement instructions. This mismatch is dangerous because users and orchestrators may grant trust based on a narrower declared scope while the skill actually performs broader persistent changes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest describes a founderclaw-specific browsing aid, but the extension is configured to inject a content script on <all_urls>, giving it visibility and script execution capability on essentially every site the user visits. That scope is broader than the stated purpose and increases the blast radius for data exposure, DOM manipulation, and abuse if the extension code is compromised or overly permissive.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Injecting content scripts into all websites is a powerful cross-site capability that is not justified by the manifest's narrow stated purpose of founderclaw live feed overlays. In the context of a multi-agent startup-building tool, broad page access is more dangerous because the extension may encounter sensitive SaaS dashboards, credentials, internal tools, and business data across many unrelated sites.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill claims to upgrade founderclaw, but the implementation performs `git reset --hard origin/main`, which forcibly discards tracked local changes after fetching remote content. Although `git stash` may preserve some uncommitted work, it does not justify the destructive reset and can still surprise users or erase intended local modifications, especially if there are conflicts, untracked files, or branch-specific work.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal