ClawHub

Drission Agent

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill exposes a local browser-control relay while overstating its safety controls and omitting the claimed human-gated wrapper from the package.

Review carefully before installing. Use only in an isolated sandbox, avoid pointing it at a personal or logged-in browser profile, and do not rely on the claimed human-only lockout unless the missing wrapper and related controls are supplied and independently reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises strong safety controls while exposing capabilities consistent with environment access, file writing, networking, and shell-adjacent execution requirements, yet it declares no explicit permissions. This creates a transparency and governance gap: downstream systems or reviewers may under-estimate what the skill can do, making misuse or over-privileged deployment more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The file makes unusually strong claims that every script is locked, human-gated, and unusable by autonomous agents, while the documented asset inventory includes network scraping, report writing, a TCP relay/tunnel, raw CDP browser control, and protocol impersonation. That mismatch is dangerous because the repeated 'Fortress' and 'Total Lockout' language can function as trust-washing, causing reviewers to discount capabilities that enable covert browser control, local pivoting, or data exfiltration.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code claims a mandatory manual human security gate, but enforcement is only an environment variable check. Any caller able to launch the process can bypass the gate by setting SOTA_NUCLEAR_CONFIRMED=true, so the asserted control provides little real protection and may create dangerous false assurance.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This file implements a generic localhost TCP relay from 127.0.0.1:9223 to 127.0.0.1:9222, which materially expands access to a local service despite the manifest claiming the toolkit is tightly locked down. In an agent skill context, exposing a browser debugging or automation port through an alternate listener can bypass intended access controls, enable unintended tool chaining, and undermine operator assumptions about the skill's security posture.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The claimed 'hardened' gate is only an environment-variable check, which is not meaningful security because any process or launcher able to set environment variables can enable the relay. This creates a false sense of protection around code that then opens a fully functional TCP forwarder, making the mismatch between claims and implementation particularly risky in a security-sensitive automation skill.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The skill description does not clearly state when the skill should be invoked, by whom, or under what bounded use cases, despite exposing powerful automation and relay-related capabilities. Ambiguous activation criteria increase the risk that an agent or operator invokes the toolkit in inappropriate contexts, especially given the presence of browser control and local tunneling components.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
User-supplied query content is transmitted to arXiv without explicit consent, warning, or privacy controls. In an agent context, prompts or sensitive user data could be unintentionally exfiltrated to a third party, making this more dangerous than a normal manual search utility.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal