ClawHub

Browser Driver

Security checks across malware telemetry and agentic risk

Overview

This skill is high-impact because it controls a logged-in browser, but the artifacts clearly disclose that purpose and include meaningful scope and cleanup guidance.

Install only if you intentionally want an agent to control your already-signed-in local browser. Keep the CDP port bound to localhost, watch the session while it runs, close the tunnel and restart the browser normally afterward, and avoid temporary plaintext secret files unless there is no safer password-manager path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The default prompt is broadly phrased and can trigger use of this high-risk skill for generic automation requests without clearly restating the narrow safety constraints. Because this skill attaches to the user's already-authenticated browser session, accidental or overly broad invocation can expose privileged actions and sensitive session data beyond what a normal browser automation skill should access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions tell an agent to relaunch the user's already-authenticated browser with a remote debugging port enabled, which exposes powerful control over the live session but does not require or emphasize explicit user consent, scope limits, or the security consequences. Even though the skill says to use the user's own browser, enabling CDP on an authenticated profile can allow access to cookies, page contents, and privileged actions if misused or if another local process connects to the port.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guidance directs the agent to operate inside the user's real authenticated browser context and capture screenshots after actions, but it omits a clear warning that screenshots and page inspection may collect sensitive account data, personal information, or secrets visible in-session. In this context, the skill is more dangerous because it is specifically designed to reuse a live login behind 2FA, so the browser state is highly privileged and likely to contain sensitive content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance instructs the agent to extract one-time secrets from a logged-in browser session and write them to a local plaintext file before later deleting it. Even with cleanup, this creates an unnecessary exposure window: local files may be readable by other processes, indexed, backed up, recovered after deletion, or mishandled by logs and tooling. In the context of a skill that attaches to the user's real authenticated browser, the sensitivity of these secrets is higher because they may grant direct access to production systems.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal