ClawHub

PinchTab

Security checks across malware telemetry and agentic risk

Overview

PinchTab is a real browser-automation skill, but it uses a published fixed bearer token and can store or send browser screenshots, so it needs user review before installation.

Install only if you intend to run a trusted local PinchTab server. Replace the published bearer token with your own secret, restrict the server to trusted local users, supervise navigation and click actions on logged-in sites, and avoid saving or sending screenshots that may contain private account, personal, or business data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation shows capabilities requiring environment variables, shell execution, and network access, yet no permissions are declared. This weakens transparency and policy enforcement because operators may invoke a skill with broader capabilities than expected, increasing the chance of unintended network use or secret exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond browser automation by exporting screenshots to Telegram and saving copies locally, which is not reflected in the stated skill purpose. This mismatch is dangerous because users may provide access assuming only local browser control while the skill can transmit captured page contents to a third-party service, enabling data leakage.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation expands scope from browser automation to sending screenshots to Telegram, an external destination not covered by the manifest description. In a browser automation context, screenshots can contain credentials, personal data, session details, or proprietary content, so undocumented exfiltration channels materially increase risk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Telegram integration is not inherently required for browser automation and introduces an unrelated outbound communication path. That makes the skill more dangerous in context because the browser may access sensitive internal or authenticated pages, and screenshots from those sessions could be sent outside the expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
This utility script includes a built-in capability to transmit browser screenshots to Telegram, which can expose sensitive page contents such as credentials, personal data, session information, or internal application screens to a third-party service. In the context of a browser-automation skill, screenshots often contain highly sensitive data, so bundling exfiltration functionality raises real data-loss risk even if it is user-invoked.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file header and usage text describe the script primarily as a screenshot decoder, while it also supports uploading screenshots to Telegram. This mismatch obscures a sensitive external-transmission feature, making it easier for operators to run the tool without fully understanding that browser screenshots may be sent off-host to a third-party platform.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script can transmit captured browser screenshots to Telegram, which is an external third-party service unrelated to the core browser-control capability described for the skill. Screenshots may contain sensitive page contents, credentials, personal data, or internal application state, so adding exfiltration functionality materially increases data leakage risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The inclusion of Telegram bot token and chat ID support introduces third-party delivery capability that is outside the stated purpose of browser automation via a local HTTP API. Even if optional, this expands the skill's trust boundary and enables easy forwarding of captured browser data to an external service.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The script copies screenshot data into a fixed persistent workspace path, which can leave sensitive browser captures stored beyond the immediate task. Persistent storage increases exposure to later unauthorized access, accidental reuse, or leakage through other tooling that reads from the workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to send screenshots to Telegram without a clear warning that page captures may contain sensitive or regulated data and will be transmitted to an external service. Lack of disclosure undermines informed consent and can lead to accidental leakage of secrets, personal information, or internal content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation exposes browser-launching and arbitrary navigation capabilities without any warning that these actions can trigger external network access and cause side effects on the local system or remote services. In this skill context, the risk is elevated because the API also includes a hardcoded bearer token and supports unrestricted URL navigation, making it easier for an agent or user to invoke powerful automation against internal or external targets without adequate caution.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script embeds a long-lived bearer token directly in source code, which creates a secret exposure risk through source control, logs, backups, or local file disclosure. Anyone who obtains the script can reuse the token to issue authenticated browser automation commands to the local service, potentially driving clicks and other actions without authorization.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs an authenticated request to a local browser-control API using a hardcoded bearer token, but provides no disclosure, consent flow, or indication to the caller that privileged browser state may be accessed. In the context of a browser automation skill, this is more dangerous because the endpoint may expose page contents, session-derived data, or sensitive UI state from a live browser instance, making silent authenticated access a meaningful security risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs an authenticated POST to a local browser-control API with no validation, prompt, or disclosure, and it hardcodes a bearer token in the script. In the context of a browser automation skill, launching a browser instance can trigger privileged local actions and may be abused by any user or process that can invoke the script, especially if they are unaware it authenticates automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends a user-controlled URL together with a hardcoded bearer token to a local HTTP automation service, with no validation, scoping, or user warning. In a browser-automation skill, this is dangerous because any caller who can run the script can cause authenticated actions against the local service and potentially drive the browser to attacker-chosen destinations, enabling SSRF-like access, sensitive page interaction, or misuse of the automation instance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Persisting screenshots without explicit warning or confirmation is risky because browser screenshots often contain sensitive content not intended for long-term storage. In the context of a browser automation skill, silent persistence can surprise users and create residual data exposure after the task completes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal