ClawHub

Awublack Openclaw Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This browser skill has a real review concern because a page URL can be passed into a shell command unsafely, and the docs overstate its privacy and safety.

Install only if you understand the risk and trust the maintainer and the separate agent-browser npm package. Avoid giving it untrusted or unusual URLs until the script uses safe argument passing such as spawn or execFile, validates http/https URLs, and the documentation clearly explains outbound network access and remaining risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script builds a shell command with untrusted user-controlled input (`url`) and executes it via `child_process.exec`, which invokes a shell. Because the URL is interpolated inside double quotes, shell metacharacters such as command substitution can still be evaluated, allowing arbitrary command execution rather than just browsing a page.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The documentation and metadata repeatedly describe the tool as safe, local, and reliable, but the implementation actually routes attacker-controlled input through a shell. This mismatch increases risk because users and downstream agents may trust the skill with less scrutiny, making exploitation of the command-injection flaw more likely in practice.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README promotes automatic fetching and summarization of arbitrary URLs without clearly warning that using the skill initiates outbound network requests and retrieves potentially sensitive or untrusted content. In a browser-access skill, this can mislead users about privacy, trigger unintended access to internal or authenticated resources, and increase exposure to prompt-injection content from fetched pages.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises very broad trigger conditions for general web-viewing requests without defining clear scope, allowed domains, or user-confirmation requirements. In a browser-capable skill, this can cause over-invocation on ordinary prompts and increase exposure to unintended browsing, retrieval of sensitive/internal URLs, or prompt-driven misuse of the local CLI.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal