ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Chrome debugging skill, but it gives an AI broad access to real browser sessions and includes examples that can expose tokens or credentials without enough warnings.

Review before installing. Use a pinned package version, a project-scoped MCP registration when possible, a dedicated temporary Chrome profile, and disposable test accounts. Avoid personal or production logged-in sessions, never ask the AI to read tokens/cookies/localStorage secrets, and redact sensitive headers or response bodies before sharing outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly advertises powerful browser capabilities including network inspection, screenshot capture, live-page automation, and arbitrary JavaScript execution, but it provides no user-facing warning about privacy, authenticated-session exposure, or the risk of interacting with production accounts and sensitive pages. In the context of an AI-operated browser tool, this omission can lead users to expose cookies, page contents, internal apps, tokens, or personal data without understanding the consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation guide encourages users to connect an AI tool to a real Chrome browser and validate it by taking a screenshot, but it does not clearly warn up front that browser automation can expose page contents, session state, and other sensitive user data to the AI tool and related logs. In this skill context, that omission is more dangerous because the server is explicitly designed to inspect pages, network activity, and screenshots from a live browser, which increases the chance of inadvertent data disclosure during normal use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart explicitly teaches the AI to inspect full network requests and responses, including headers and bodies, without any caution that these often contain session cookies, bearer tokens, API keys, PII, or business-sensitive payloads. In the context of a browser-control/debugging skill, this materially increases the risk of accidental secret exposure to the model, logs, screenshots, or downstream tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The automation example demonstrates entering plaintext credentials directly into a browser session without warning against using real accounts, production systems, or reusable passwords. Because this skill is designed for AI-driven browser automation, such examples normalize handling live credentials in prompts and browser state, which can lead to credential leakage through model context, logs, screenshots, or recorded sessions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide instructs the AI to execute JavaScript that reads a user token from localStorage, directly targeting authentication material. In a browser-debugging skill, this is especially dangerous because it encourages exfiltration of bearer/session tokens into AI output or tool logs, enabling account takeover or unauthorized API access if the token is reused or still valid.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly recommends connecting to an already running Chrome instance and mentions debugging pages in a logged-in state or using a specific browser profile, but it does not warn that DevTools remote debugging grants broad access to page contents, cookies/session context, network data, and script execution capabilities. In the context of an MCP server designed for AI assistants, this omission is materially risky because it can encourage users to expose sensitive authenticated browser sessions to automated tooling without understanding the trust boundary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal