ClawHub

Aipex Browser

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it gives an agent broad control over Chrome and browser-visible data without enough consent and scoping guidance.

Install only if you are comfortable giving an agent control over Chrome through the AIPex extension and MCP bridge. Use a separate Chrome profile or close sensitive tabs, pin or verify the bridge package where possible, and require explicit approval before account actions, purchases, submissions, deletions, downloads, or sending screenshots to the LLM.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill enables broad browser control, page extraction, downloads, and screenshots, including an explicit `capture_screenshot(sendToLLM=true)` path, but it does not clearly warn users that sensitive page contents, session data visible in the browser, or screenshots may be exposed to the agent/LLM. In a browser automation skill, that omission is materially risky because users may invoke it on email, banking, admin consoles, or other privacy-sensitive pages without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented tools can enumerate all open tabs and retrieve active tab metadata, which exposes browsing activity, titles, and URLs that may contain sensitive information such as internal systems, document names, or auth tokens in query strings. In a browser-automation skill, this is materially risky because agents may access cross-context user activity without an explicit privacy notice, consent boundary, or data-minimization guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Form-filling and full editor-reading capabilities can access or overwrite highly sensitive data including credentials, personal information, source code, secrets, and draft content. The lack of a clear warning or handling guidance is dangerous because this skill is specifically designed for autonomous browser control, increasing the chance that an agent reads or writes sensitive fields without adequate confirmation or safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The screenshot functions can capture whatever is visible on screen, including credentials, messages, financial data, internal dashboards, and other sensitive visual content; with `sendToLLM=true`, that data may also be transmitted for model analysis. Mentioning token cost without a privacy warning understates the real risk of exfiltration and unintended retention of sensitive on-screen information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The download tools write files to the user's local filesystem, which can create privacy, persistence, and safety issues if content is saved unexpectedly or into attacker-influenced paths or filenames. In an automation context, users may not realize that browser- or chat-derived content is being persisted locally, increasing the risk of accidental sensitive-data storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal