ClawHub

Playwright 网页自动化工具

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Playwright web-testing helper, but users should be careful with console logs, screenshots, file URLs, and the optional server helper.

Install only if you are comfortable letting Playwright open the pages or local files you specify and saving screenshots or logs locally. Avoid console capture on sensitive or authenticated pages unless needed, and use the server helper only with trusted commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that imply shell execution, environment access, and file writing, but it does not declare corresponding permissions or clearly warn users about those behaviors. This creates a transparency and consent gap: users may invoke a seemingly simple web-testing skill without realizing it can launch local services, write artifacts such as screenshots, or access environment-derived secrets during execution.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script launches user-supplied server commands with subprocess.Popen(cmd, shell=True), which allows arbitrary shell metacharacters and command chaining. If any untrusted input reaches --server, an attacker can execute arbitrary OS commands under the privileges of the skill runner, which is especially dangerous in an automation environment that may have filesystem or network access.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill explicitly supports browser console log collection but does not warn that console output may include sensitive data such as tokens, API responses, user identifiers, stack traces, or debugging secrets emitted by the tested page. In a browser automation context, especially against local apps or authenticated pages, collecting and surfacing console logs can unintentionally expose sensitive information to the agent, logs, or downstream systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accepts arbitrary http(s) and file:// targets from user input, then loads them in a browser and captures screenshots, DOM-derived element data, or console output without any trust boundary, allowlist, or privacy warning. In a skill context, this can expose sensitive local files, internal web apps, or authenticated page contents to logs and saved artifacts, creating a real data-collection and exfiltration risk even though the feature appears intended for testing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal