ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be legitimate browser-automation guidance, but it under-explains important risks around credentials, authenticated pages, and system-wide installation.

Review before installing. Prefer a user-local binary path over sudo installation, verify any downloaded binary, bind MCP/CDP interfaces to localhost, avoid using it on sensitive or authenticated sites unless necessary, and pass credentials through environment variables or a secret manager rather than inline commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages browser automation, webpage fetching, and MCP/CDP-based control by an AI agent, but it does not clearly warn that browsing may transmit sensitive URLs, cookies, page contents, or user-provided data to external sites and services. In an agent context, this omission can lead users to authorize high-impact actions without understanding privacy, credential, or data-exfiltration risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to run a privileged command (`sudo mv lightpanda /usr/local/bin/`) that modifies a system-wide PATH location, but it provides no warning about the trust implications of installing an unsigned/nightly binary globally. In an agent-executed or copy-paste context, this increases the chance that unreviewed software is granted persistence and broad execution access on the host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quickstart encourages AI-controlled browsing and page dumping via MCP/CDP, but does not warn that fetched page contents, cookies, rendered DOM, and user-supplied targets may be exposed to connected local tools or other processes with access to those interfaces. In this context, the omission can lead users to connect automation or AI agents to sensitive internal or authenticated pages without understanding the data-exposure boundary, increasing the risk of unintended disclosure or misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows proxy credentials in a URL and page-level authentication without warning that these secrets are transmitted to the proxy or destination and may be exposed through shell history, logs, screenshots, or copied example code. In an agent/automation context, users often paste examples directly into scripts and CI, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example sends an Authorization bearer token directly in a command-line header, but does not warn that the token will be transmitted to the remote service and may remain visible in terminal history, process listings, CI logs, and copied documentation. For AI-agent usage, this is more dangerous because automated workflows frequently run unattended and may log full commands.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal