ClawHub

Gbrow

Security checks across malware telemetry and agentic risk

Overview

Gbrow is a real browser automation skill, but it bundles under-disclosed access to browser sessions, local files, repository state, and an external agent runner.

Review before installing. Prefer a pinned clone over the curl-to-bash installer, run it in an isolated workspace and browser profile, avoid importing cookies for sensitive accounts, and do not use headed/sidebar features unless you intend to allow local agent execution, repository writes, and persistent browser/session storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises powerful capabilities including shell execution, network access, and environment access, but does not declare permissions or clearly bound them. In an agent setting, hidden capability surface is dangerous because users and orchestrators cannot accurately assess what the skill may do, increasing the risk of unintended command execution, data access, or network actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially understates the actual capability set: headed browser launch, extension loading, subprocess spawning, worktree/repository writes, CSS mutation, telemetry capture, and browser-profile cookie decryption/import are far more sensitive than a simple headless browsing tool. This mismatch prevents informed consent and can mislead an agent into invoking functionality with significant privacy, integrity, and execution risks.

Intent-Code Divergence

Medium
Confidence
73% confidence
Finding
The documentation claims 'No API calls' while explicitly instructing use of an HTTP API with bearer-token authentication. Although the API is local, the contradiction is security-relevant because it can mislead users about the network and service exposure model, reducing scrutiny of token handling and local service risks.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Headed launch uses a fixed persistent Chromium profile under the user's home directory, causing cookies, session data, history, and extension state to survive across runs. In an agent skill that browses arbitrary sites and may handle sensitive accounts, persistent profile reuse increases cross-session data leakage, unintended authentication carryover, and forensic residue on disk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The handoff flow reads a local state file, extracts a token, and writes it into the extension directory for bootstrap. Even though this appears intended for local coordination, it expands secret handling beyond the minimum needed for browser control and creates additional at-rest copies of authentication material that could be read by other local processes or left behind after use.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
`ensureStateDir` silently edits the repository's `.gitignore`, which is a persistent modification to project metadata unrelated to core browser automation. Even though the appended entry is only `.gstack/`, changing VCS config without explicit consent can hide artifacts from version control review and violates least surprise for a skill that claims to be a browser utility.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This module intentionally executes external OS commands (`security` and `secret-tool`) to retrieve browser encryption secrets, then uses them to decrypt stored browser cookies. Although arguments are hardcoded and shell injection risk is reduced, this is still credential-access behavior that can extract authenticated session material from the host, which is highly sensitive in an agent skill context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata emphasizes a headless browser, but the code supports headed mode, human handoff, resume, and user observation. This mismatch can mislead users and downstream agents about the true capabilities of the skill, increasing the chance that local interactive browsing or user-monitoring features are enabled without informed consent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The `inbox` command accesses a local repository directory, reads JSON message contents, and can delete those files with `--clear`, yet this local file access is not disclosed in the skill description. In an agent context, undisclosed repository reads and destructive file operations materially expand the trust boundary and can expose sensitive project data or erase user messages.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The `state save/load` feature persists browser state to disk, including plaintext cookies and page history, which goes beyond the advertised cookie import capability. Stored authentication cookies are sensitive secrets; if the local filesystem is accessed by another process or user, sessions may be stolen and browsing context reconstructed.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The `storage set` path performs a write to `localStorage` inside a module explicitly described as read-only. In an agent skill context, this semantic mismatch can bypass higher-level safety assumptions, allowing prompts or callers that believe they are using harmless read commands to alter application state, influence workflows, or seed tokens/flags in the browser.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This browser skill embeds a second persistent agent subsystem that goes well beyond headless browsing: it creates git worktrees, persists chat/session data, and orchestrates queued prompts for a Claude subprocess flow. That materially expands the privilege and data-handling surface of the skill, enabling repository interaction and durable storage of sensitive browsing/chat context in ways not implied by the advertised browser-only purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code discovers local Claude binaries, creates git worktrees, and prepares queued execution of local tooling despite being presented as a browser skill. This hidden capability broadens the trust boundary from browser automation to local developer-environment interaction, which can expose repositories, execute unintended workflows, or let web-originated/user-provided content influence higher-privilege local actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code spawns a separate `claude` subprocess and grants it broad tools including `Bash` and `Write`, which materially exceeds the advertised headless-browser capability. Because the subprocess arguments can come directly from queue entries, this creates a powerful execution path that can read, modify, and act on the local workspace far beyond browser automation.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill writes user/browser-derived messages into `.context/sidebar-inbox` within the git repository, creating an undocumented cross-channel data flow to other local agents or tooling. In a browser skill context, persisting observations into the repo can leak sensitive page content, influence other automation, and surprise users who expected only in-browser actions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code discovers the git root and creates files under the repository for purposes unrelated to core browser control, expanding the skill's reach into the user's workspace. In this context, repo discovery plus file creation enables unintended persistence and interaction with developer tooling, which is riskier than the manifest suggests.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Launching a general-purpose Claude subprocess with `Bash,Read,Glob,Grep,Write` gives the skill broad local-system and filesystem capabilities inconsistent with a browser-focused tool. The danger is amplified because queue entries can supply `args`, allowing external input to influence the subprocess invocation and potentially weaken safeguards or expand capabilities.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comment downplays risk by claiming `Write` does not expand the attack surface, but granting `Write` clearly adds file-modification capability beyond read or browser actions. Misstating the security boundary can lead reviewers and integrators to under-trust necessary controls, increasing the likelihood that dangerous permissions are accepted without proper scrutiny.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The cleanup feature explicitly targets paywalls, subscription walls, blur filters, truncation, and other access-control-like UI barriers, which goes beyond ordinary navigation or screenshotting and can be used to bypass publisher restrictions. In a browser automation skill, this is materially risky because it enables unauthorized access to gated content and normalizes anti-paywall behavior as a built-in capability.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Importing cookies from installed local browsers accesses highly sensitive session data that may grant authenticated access to third-party accounts. In an agent skill, this is especially dangerous because it expands from ordinary browser automation into credential/session extraction from the host environment, and the direct CLI path can perform the import without any meaningful confirmation step in this code.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructions encourage piping a remotely fetched script directly into bash without integrity verification or review. If the repository, branch, transport, or upstream content is compromised, users could execute arbitrary code immediately on their machine.

Missing User Warnings

High
Confidence
98% confidence
Finding
The setup flow explicitly promotes curl-to-bash execution of remote content with no integrity verification, signature checking, pinning, or user confirmation. This creates a direct remote code execution path: if the source is compromised, tampered with in transit, or replaced upstream, arbitrary commands will run immediately on the user's machine.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The activity stream forwards navigation URLs and truncated command results to any current subscriber, while only selectively redacting arguments. URLs commonly contain sensitive path/query data, and command results may include page content, tokens, PII, or other session-derived data; exposing them through an internal stream increases the risk of unintended data disclosure to extensions, UI components, or other consumers. In a headless browser skill, this is more dangerous because the component handles highly sensitive browsing state, cookies, auth flows, and user-driven automation across arbitrary sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The headed launch path writes an auth token to .auth.json inside the extension directory without any visible consent, warning, or lifecycle management in this file. Writing bearer-style tokens to disk creates an avoidable local secret exposure risk, especially in a browser automation tool where extensions and profiles may persist between sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The state save/restore logic captures cookies plus localStorage and sessionStorage for all open pages and later replays them into a new context. In this skill's context, that can preserve authentication state and sensitive site data across transitions or handoffs without explicit disclosure, increasing the chance of over-collection, unintended retention, or session confusion if reused in the wrong context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal