ClawHub

Webapp Testing

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local web-app testing helper; it can run local server commands, including opt-in shell mode, but that behavior fits its purpose and is not hidden.

Install only if you want an agent helper that can run local development server and automation commands. Prefer the default non-shell mode, review commands before running them, and use --shell only for trusted commands you wrote or inspected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if use_shell:
                # Shell mode: pass command string directly to shell
                print(f"Starting server {i+1}/{len(servers)} (shell): {cmd}")
                process = subprocess.Popen(
                    cmd,
                    shell=True,
                    stdout=subprocess.PIPE,
Confidence
98% confidence
Finding
process = subprocess.Popen( cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes shell/process-execution capability via documented commands (`python scripts/with_server.py`, optional `--shell`) without any declared permissions boundary. That creates a trust gap: a caller may believe this is a narrow Playwright testing skill when it can also spawn arbitrary local processes and execute follow-up commands, increasing the chance of unsafe invocation or privilege misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose frames the skill as Playwright-based webapp testing, but the documentation also instructs the agent to launch arbitrary local servers, wait on ports, and run arbitrary post-start commands, including via shell mode. This mismatch can cause operators or orchestrators to grant the skill broader execution than expected, enabling unintended command execution and expanding the attack surface beyond browser automation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation claims Playwright connects only to localhost and that no external data is sent, but neither the examples nor the guidance enforce localhost-only URLs. An agent or user could navigate to non-local addresses, potentially interacting with production systems or exfiltrating page content, cookies, screenshots, or logs contrary to the stated safety model.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal