ClawHub

Unbrowse Openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for website API discovery, but it reads browser session cookies, reuses authenticated traffic, and retains sensitive captured data with too little scoping for automatic installation.

Install only in an isolated environment with a dedicated browser profile and test accounts. Do not run it against personal or business SaaS sessions unless you are comfortable with cookies being read, stored, replayed, and captured outputs being cached locally or used to publish reusable endpoint metadata. Review and clear traces and vault data regularly, and treat any mutation or authenticated capture as a manual, consented action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (58)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises and invokes capabilities that imply shell execution, network access, and environment interaction, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and orchestrators cannot accurately assess or constrain what the skill can access before invocation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose understates materially sensitive behavior such as extracting browser cookies, accessing OS/browser secret material for cookie decryption, storing credentials locally, and proxying requests to a remote service. That mismatch is dangerous because users may invoke the skill for routine web extraction without realizing it can access authentication artifacts and transmit sensitive data off-host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The /v1/auth/steal route explicitly extracts browser cookies from Chrome/Firefox profile databases, which is credential harvesting behavior rather than normal website analysis. In this skill context, that capability enables access to authenticated sessions and third-party accounts, making the feature substantially more dangerous than the stated purpose suggests.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments normalize credential extraction by describing it as convenient and 'instant,' which downplays the sensitivity of reading browser cookie stores. This kind of framing increases the risk of unsafe use and suggests the feature was intentionally designed to facilitate covert session capture.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code automatically falls back to reading cookies from local Chrome/Firefox stores when no vault cookies exist, without any explicit user consent at the time of access. Harvesting browser cookies from local profiles is a credential-theft pattern because it can silently import authenticated sessions for arbitrary domains and reuse them in later requests.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comments normalize the behavior as a routine auth fallback and even reference a '/v1/auth/steal' style flow, which obscures that the feature is actually taking session cookies from local browser databases. Misleading documentation increases risk because reviewers and users may not recognize that the module performs covert credential extraction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code deliberately spoofs a real Chrome user agent and overrides client-hints specifically to avoid HeadlessChrome detection. That goes beyond normal browser automation and directly enables stealthy scraping or automated access against sites that are intentionally trying to block bots, which is especially risky in a skill designed to capture network traffic and reusable APIs from arbitrary websites.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The function explicitly detects Cloudflare challenge pages and waits for clearance before proceeding, which is behavior aimed at overcoming an access-control or anti-abuse checkpoint rather than ordinary page readiness. In the context of a tool that discovers and reuses private site APIs, this materially increases the ability to access guarded content at scale.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
Full WebSocket frame capture can collect sensitive real-time application data such as chats, tokens, personal events, or internal messages well beyond basic HTTP traffic discovery. In a marketplace-oriented skill that publishes or reuses discovered capabilities, this broader interception increases privacy and credential-exposure risk if stored, shared, or replayed.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code extracts Cloudflare clearance cookies and rewrites them onto the registrable domain for reuse across subdomains, effectively broadening the scope of anti-bot clearance beyond what the site originally issued. This is a direct mechanism to extend bypass tokens and can enable unauthorized access or automated scraping across additional protected surfaces.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Trigger-and-intercept intentionally lets the target site's own JavaScript perform guarded requests so the tool can capture responses while inheriting CSRF tokens, session state, and TLS/browser fingerprint characteristics. This is a strong evasion pattern for accessing protected endpoints that are difficult to call directly, and in this skill's context it enables extraction and operationalization of unofficial or gated APIs.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The execution path will perform non-GET requests to discovered endpoints when `confirm_unsafe` is set, including endpoints learned automatically from captured traffic rather than explicitly curated APIs. In a skill whose purpose is extraction and reverse-engineering of websites, this creates a real risk of unintended state-changing actions on third-party services, especially if endpoint metadata is inaccurate or attacker-influenced.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code opens arbitrary WebSocket connections from endpoint metadata and collects all messages for several seconds without validating destination or purpose. Because endpoints are discovered from network traffic and may include third-party or sensitive streams, this enables unintended live data collection and expands the skill from passive API extraction into broad real-time interception.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The startup logic executes host shell commands via execSync to kill processes and install software on the machine. Even though the commands are hardcoded, this expands the skill's privileges beyond website/network analysis into host-level process management and package execution, which is risky in agent or multi-tenant environments and can disrupt unrelated workloads or execute unintended code through the package toolchain.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This trace contains far more data than needed for a website-network/API-skill workflow, including a real user's email address, profile metadata, workspace configuration, page titles, permissions, public-share settings, and numerous business/investor documents. That is a serious over-collection and exposure issue because anyone with access to the trace can infer sensitive business operations and personal information unrelated to the skill's stated purpose; the marketplace/reusable-skill context makes this especially dangerous because captured data may be propagated and reused broadly.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The trace exposes extensive unrelated Notion data, including a real user email address, workspace metadata, page titles, permissions, and internal document structure. For a skill whose purpose is website network-traffic analysis, returning this volume of tenant data indicates severe over-collection and over-disclosure, creating a direct confidentiality breach and expanding the blast radius if traces are logged, shared, or reused in a marketplace.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The result includes clearly unrelated business-sensitive content such as investor prep, financial models, SWOT analysis, competitive analysis, and investment package materials. In the context of a skill that captures browser/network data and publishes discovered skills to a shared marketplace, this is especially dangerous because highly confidential corporate documents could be unintentionally exposed, retained, or propagated beyond the original user/session.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
This trace stores a real LinkedIn profile payload containing personal data such as name, public identifier, birthday components, location, profile summary, tracking identifiers, and direct image URLs with access tokens. In the context of an 'unbrowse' skill that captures network traffic and republishes learned artifacts to a shared marketplace, retaining harvested third-party profile data is dangerous because it turns execution traces into a repository of sensitive scraped data rather than reusable API logic, creating privacy, compliance, and unauthorized data-disclosure risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The trace contains extensive unrelated sensitive data from a Notion account and multiple workspaces, including a personal email address, profile metadata, workspace configuration, page inventories, permissions, and other internal records. For a skill whose stated purpose is website network analysis/API discovery, returning this volume of cross-context data is a clear over-collection and exposure issue that could leak private personal and business information to downstream agents, logs, or marketplaces.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The output exposes titles and structures of internal business and investor materials such as investment prep, financial models, SWOT analysis, and competitive analysis documents that are unrelated to the skill's declared function. This materially increases risk because the skill description says discovered artifacts may be published and reusable by all agents, turning accidental access into potential broad confidential-business-data disclosure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This trace contains extensive Notion data far beyond the stated purpose of deriving API skills from website network traffic, including user profile details, workspace metadata, page titles, permissions, and internal document structure. The skill context makes this more dangerous because it is designed to capture and publish discovered artifacts to a shared marketplace, so unrelated private workspace data could be retained, reused, or exposed to other agents or users.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The trace retains sensitive personal and business information, including an email address, workspace ownership/membership details, page titles referencing investment prep and financial materials, and internal collaboration metadata. In the context of a skill that learns from captured traffic and shares reusable skills, this creates severe confidentiality and business-risk exposure because proprietary documents and account metadata could be disclosed, indexed, or repurposed without authorization.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The trace contains a full Notion data dump with user identity, workspace metadata, page titles, permissions, and document structure, which is far beyond the skill’s stated purpose of analyzing website network traffic and reusable API behavior. This creates an overcollection and data-exposure vulnerability because anyone with access to traces can learn private workspace contents and organizational details unrelated to the requested task.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The output reveals sensitive business artifacts such as investment prep, financial models, SWOT analysis, competitive analysis, and enterprise connector materials that are unrelated to browsing/network-traffic discovery. In the context of a skill designed to inspect websites and publish reusable skills to a shared marketplace, this kind of unrelated data access materially increases the risk of confidential business information leakage and secondary misuse.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The trace contains a full LinkedIn profile payload with extensive personal and professional data, including name, public identifier, employment history, education, location, profile media links, and profile image URLs. For a skill described as API discovery and traffic analysis, storing and exposing a raw third-party profile response is excessive data retention and creates a real privacy/security issue because traces may be shared, reused, published to a marketplace, or accessed by other agents beyond the original collection context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal