ClawHub

Web Access Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed browser-automation tool, but it gives an unauthenticated local service broad control over a logged-in Chrome session and local file uploads, so it needs careful review before use.

Install only if you intentionally want an agent to operate a real logged-in Chrome profile. Prefer a dedicated browser profile or test accounts, stop the proxy when not in use, and require explicit approval before uploads, public posts, form submissions, purchases, deletes, account changes, or visits to sensitive private sites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to persistently write site-specific knowledge into local reference files after task completion. This expands the skill from transient web access into modifying the local workspace state, creating a persistence channel that can silently accumulate unreviewed data, including sensitive URLs, tokens, or behavioral instructions derived from adversarial sites. In a web-access skill, this is more dangerous because it processes untrusted remote content by design, so writing learned patterns back to disk risks cross-task contamination.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /eval endpoint accepts arbitrary JavaScript and executes it inside the user's already-authenticated Chrome tabs via Runtime.evaluate. That gives any local caller the ability to read page contents, session-scoped data exposed to page JS, perform actions as the user, and drive sites far beyond the stated 'web-access' purpose, especially because it targets the user's everyday browser session rather than an isolated automation profile.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The /setFiles endpoint can programmatically attach arbitrary local paths to file inputs in the user's browser session. This enables silent submission of local files to websites and can be chained with the proxy's navigation/click capabilities to exfiltrate sensitive local data without meaningful user awareness.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The /clickAt endpoint uses browser-level mouse events and is explicitly documented as a way to bypass anti-automation checks and trigger privileged UI flows. That makes the proxy materially more dangerous because it can invoke actions that simple DOM clicks cannot, including security-sensitive flows gated on real user gestures.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This code exposes powerful control of the user's existing Chrome session through an unauthenticated localhost HTTP server. Any local process running as the user can call the API to inspect tabs, navigate, execute scripts, click elements, capture screenshots, and manipulate logged-in sessions, so 'localhost only' is not a meaningful security boundary on a multi-process desktop.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes connecting to the user's everyday Chrome and reusing its logged-in state for automation, but does not prominently warn that this grants the skill access to authenticated sessions, personal data, and the ability to act on behalf of the user. In a browser-automation skill, that omission is especially risky because users may not realize the tool can read private content or trigger account-impacting actions across any site already logged in.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The usage examples include posting content and uploading files through browser automation without warning that these are state-changing and potentially irreversible actions. Given this skill is designed to operate with the user's logged-in browser, such examples normalize destructive or externally visible actions without emphasizing consent, review, or rollback limitations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger scope is so broad that it effectively captures nearly all network-related tasks, including searching, browsing, login-based activity, scraping, and dynamic rendering. Overbroad routing increases the chance the skill is invoked in higher-risk situations than necessary, exposing users to browser/CDP operations and external services even when simpler, safer mechanisms would suffice. In context, this skill has powerful capabilities, so weak boundaries materially increase risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages writing local site-pattern files but does not require informing the user that local files will be modified. Silent filesystem modification violates user expectations and can create persistence, overwrite data, or introduce later unsafe behavior based on prior untrusted observations. This is especially risky here because the content being operationalized comes from arbitrary websites encountered during browsing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes endpoints that can save screenshots to arbitrary local file paths and set file input contents directly from local paths, which enables local file system interaction through browser automation. In a web-access skill intended for live browsing and logged-in actions, this materially increases the risk of unintended data exfiltration, sensitive file disclosure, or misuse of local files without clear user-consent and safety constraints.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The /clickAt endpoint is documented as a browser-level real mouse click that can trigger file dialogs and bypass some anti-automation checks. Even as documentation, advertising anti-detection capability without warning or policy constraints makes the skill more dangerous because it facilitates stealthier automation of authenticated or sensitive web actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The /screenshot endpoint can write attacker-chosen image data to an arbitrary filesystem path supplied by the caller. While limited to screenshot bytes, arbitrary file write behavior can overwrite user files in writable locations and silently persist sensitive page captures to disk without notice.

Missing User Warnings

High
Confidence
98% confidence
Finding
Setting local files on file inputs without any user-facing prompt removes an important consent boundary for uploading local data. In the context of a proxy controlling the user's real logged-in browser, this can silently submit sensitive documents to remote sites and is more dangerous than normal automation because it operates in trusted user sessions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal