ClawHub

Nm Scry Browser Recording

Security checks across malware telemetry and agentic risk

Overview

This skill is a plain Playwright browser-recording guide that creates local video/GIF artifacts, with privacy cautions users should manage.

Install this only where browser recording is intended. Use test accounts and sanitized data, avoid recording secrets or private dashboards, review videos and GIFs before sharing, and delete raw recordings when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger list is broad enough to activate on common terms like `browser`, `video`, `web`, or `tutorial`, which can cause the skill to be selected in unrelated contexts. In an agent setting, over-broad routing can lead to unintended browser automation, file creation, or tool invocation when the user did not explicitly ask for recording, increasing the chance of unsafe or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes recording browser sessions and writing video/GIF artifacts but does not warn that captured content may include sensitive on-screen data, authenticated sessions, tokens visible in the UI, or local file paths. In this context, omission of a privacy and output warning is meaningful because the core function is to record and persist visual data, which can easily leak confidential information if users are not prompted to sanitize the environment first.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This module explicitly enables Playwright video recording and documents how to save recordings to disk, but it does not warn that browser sessions may capture credentials, personal data, internal dashboards, tokens visible in URLs, or other sensitive on-screen content. In a browser automation skill, this omission is meaningful because the documented output paths and examples encourage persistence and later retrieval of the recorded files, increasing the chance of unintended data retention or disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation encourages browser session recording and video post-processing but does not warn users that recordings may capture sensitive on-screen data such as credentials, personal information, session identifiers, internal dashboards, or confidential content. In a browser automation/tutorial context, this omission is materially risky because users may record real environments and then store, convert, or share those artifacts without realizing the privacy and security implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal