ClawHub

Qwen Web Agent

Security checks across malware telemetry and agentic risk

Overview

This skill does automate Qwen in a browser, but it also stores Qwen session data and chat contents locally and automatically deletes Qwen conversations from the logged-in account.

Review and edit the scripts before installing. Use only if you are comfortable with a reusable Qwen login stored on disk, prompts being sent to qianwen.com, chat contents being saved in plain-text Markdown files, and Qwen conversations being deleted automatically. Change the hard-coded output paths, disable deletion unless explicitly wanted, and avoid submitting secrets or private documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes file-writing behavior such as saving outputs and session history, but it does not declare corresponding permissions. Undeclared write capability weakens user consent and policy enforcement because an agent may persist data to disk without the operator understanding that local files will be created or modified.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill claims to automate Qwen conversations, but the documented behavior also includes local persistence of prompts/responses and deletion of web conversations, which are materially significant side effects not clearly captured in the primary purpose statement. This mismatch can mislead users and downstream agents into exposing sensitive data to disk or losing remote conversation history unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill advertises support for multi-turn conversations, but it unconditionally deletes the active conversation at the end of each run. In an automation context, this is a dangerous integrity issue because it performs destructive state changes that contradict the stated behavior and can cause silent loss of user data or chat history.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code writes both the user's query and the model response to a fixed local Markdown file, despite the skill description only describing browser-mediated querying. This creates an undisclosed data persistence channel that can leak sensitive prompts or responses into local storage outside the user's expectations.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The hard-coded output path targets a specific personal documents directory unrelated to the minimal functionality needed for browser automation. This is risky because it writes potentially sensitive conversation content into an unexpected location, may expose data to other local processes or backups, and can overwrite files on the host without user control.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script does more than its stated purpose of sending prompts to Qwen and returning answers: it persistently logs every query/response to a local markdown file and later deletes the remote conversation from the user's Qwen account. This hidden side effect is dangerous because prompts and replies may contain sensitive data, while deleting the web conversation removes user-visible auditability and can frustrate recovery or review.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The cleanup routine automatically navigates the Qwen UI to delete a conversation, even though the skill's stated function is only to ask questions and collect replies. This is dangerous because it performs destructive account actions without explicit authorization, potentially causing loss of user data and concealing what was sent to the external AI service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill stores a reusable login session under ~/.qwen_session/, but the description lacks a prominent warning that authentication material persists on disk. Persistent browser/session state can expose account access to other local users, backups, or compromised processes, especially on shared or poorly secured systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation states that browser login state is persisted in ~/.qwen_session/ and that replies are written to a fixed local Markdown file, but it does not clearly warn that authenticated session data and potentially sensitive prompts/responses will be reused and stored on disk. In an agent/browser-automation context, this can cause unintended use of a previously logged-in personal account, leakage of confidential model inputs/outputs, and cross-run privacy exposure on shared systems.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs a destructive deletion of the current conversation automatically as part of cleanup, with no prior user confirmation or meaningful warning. In a headed browser using a persistent profile, this can irreversibly remove legitimate user chat history and is especially dangerous because the deletion is triggered after every query.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script appends full prompts and model answers to a fixed local file path without warning the user that session content will be stored persistently. This creates a privacy and data-handling risk because sensitive information entered during chats may remain on disk in plain text and outside the user's expectations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script automatically deletes the conversation through the web UI during cleanup without asking for confirmation at the time of deletion. This is dangerous because it triggers an irreversible user-impacting action that exceeds normal expectations for a query automation tool and can erase records the user intended to keep.

Ssd 3

Medium
Confidence
93% confidence
Finding
Multi-turn mode persistently writes complete conversation history to a markdown file, creating a durable record of user prompts and model outputs that may contain credentials, personal data, or proprietary information. In the context of an AI-query automation skill, this is especially risky because users may assume the interaction is transient while the tool silently accumulates sensitive natural-language data.

Ssd 3

Medium
Confidence
99% confidence
Finding
The code stores all prompts and responses in plain text in a persistent markdown history file, which can capture credentials, personal data, proprietary content, or other sensitive information submitted during chats. In a browser-automation skill that may be used as a general-purpose AI proxy, this greatly increases exposure because users may not realize their conversations are being archived locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal