ClawHub

Agb

Security checks across malware telemetry and agentic risk

Overview

This is a real browser-automation skill, but it gives agents broad control over live browser sessions, saved authentication state, page JavaScript, screenshots, recordings, and proxy use without enough guardrails.

Install only if you trust the agent and workflows that will use it. Avoid using it on real accounts unless necessary, treat saved state files, screenshots, videos, PDFs, traces, cookies, and storage dumps as sensitive data, keep auth-state files out of shared folders and version control, avoid arbitrary eval on sensitive sites, and do not use the proxy examples to bypass site rules or rate limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill exposes a direct `eval({ code })` wrapper that forwards arbitrary JavaScript into the browser context with no restriction, validation, or disclosure. In a browser automation skill, this materially expands capability beyond ordinary navigation and form interaction into arbitrary DOM/script execution, enabling data exfiltration from page context, tampering with application state, or bypassing intended safety boundaries.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description is broad enough that an orchestrator may invoke it for many routine browsing tasks without sufficient user intent checks or safety boundaries. Because the tool can navigate arbitrary URLs, manipulate authenticated sessions, execute page JavaScript, and extract page data, overbroad routing increases the chance of sensitive-site interaction or unintended data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The screenshot function accepts an arbitrary caller-controlled file path and passes it directly to the underlying tool, allowing writes to attacker-chosen locations if the binary honors the path. In an automation environment, this can overwrite files, place sensitive captures in unsafe locations, or persist data outside expected working directories without any guardrails.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example persists authenticated browser state immediately after login, which typically contains reusable session cookies or tokens. Although a later best-practices section warns not to commit state files, the point-of-use example normalizes saving sensitive auth material without an immediate caution about secure storage, reuse limits, or cleanup, increasing the chance users will leave live credentials on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting authenticated state after OAuth or 2FA is especially sensitive because it can bypass reauthentication and second-factor prompts by reusing an already-established session. The examples save these states without immediate caution, which may lead operators to treat the resulting files as harmless artifacts rather than credential-equivalent secrets.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows proxy credentials embedded directly in environment variable URLs, which can expose secrets through shell history, process listings, logs, screenshots, CI output, or shared terminal sessions. In a browser-automation skill, users are likely to copy-paste examples verbatim, increasing the chance that real proxy usernames and passwords are handled insecurely.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The rotating-proxy scraping section provides operational guidance for avoiding rate limits but omits warnings about data routing, legal or contractual restrictions, and privacy implications of sending traffic through third-party proxies. In this skill context, automation plus proxy rotation can materially enable abusive or noncompliant scraping practices, making the omission security-relevant even if the text is not overtly malicious.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example recommends using --ignore-https-errors with only a weak caution, which normalizes bypassing certificate validation. This can expose automated sessions to man-in-the-middle interception, credential theft, and false test results, especially when traffic is already traversing proxies that may perform SSL inspection.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation encourages recording full browser sessions, including examples that visibly fill credentials, but it does not warn that recordings may capture passwords, personal data, session identifiers, or other sensitive on-screen content. In an automation/browser-testing skill, this omission is more dangerous because users are likely to run the examples against real applications and preserve the resulting videos as artifacts, increasing the risk of credential or data exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists browser authentication state to a JSON file and later reloads it, but provides no guidance on protecting that file or limiting its permissions. Session state can contain cookies, tokens, or other bearer credentials, so if the file is stored insecurely, checked into source control, or read by another local user/process, an attacker may be able to hijack the authenticated session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal