ClawHub

axelhu-playwright-scrape

Security checks across malware telemetry and agentic risk

Overview

This scraper is transparent about its goal, but it can reuse your logged-in Chrome profile through a persistent debugging setup, giving it broad access to private browser sessions.

Install only if you are comfortable allowing the skill to operate with browser-level access. Prefer an isolated Chrome profile or test account, avoid the persistent google-chrome wrapper and ~/.bashrc PATH change, close the debug Chrome instance after use, and approve each logged-in or sensitive URL before scraping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to attach to a live Chrome instance using the user's default profile and reuse authenticated cookies/session state for scraping logged-in sites. This enables access to private account data and direct API calls as the user, which can bypass normal consent and authentication boundaries if the agent is given an arbitrary URL or target.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documented rule says sensitive URLs require user confirmation, but the skill only states this as guidance and provides a workflow that can immediately access authenticated pages and cookies once connected to the user's browser. Because there is no technical enforcement, an agent or downstream wrapper could scrape sensitive logged-in content without an actual confirmation step.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script starts Chrome with a remote debugging port and points it at the user's real default profile, which exposes authenticated browser state such as cookies, sessions, tabs, and potentially saved data to anything that can reach the DevTools endpoint. This is made more dangerous by the explicit reuse of the logged-in profile and the use of --no-sandbox, while the script provides no warning, access restriction, or isolation of browser data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal