ClawHub

CapMonster CAPTCHA Solver

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates CAPTCHA solving and token injection on live websites, which is a powerful bypass capability that needs careful user review.

Install or use this only for sites you own, administer, or have explicit permission to test. Use a dedicated CapMonster API key with spending limits, avoid sensitive or internal URLs, and require manual approval before sending challenge data externally, injecting tokens, invoking callbacks, or submitting any live form.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill includes executable shell workflows but declares no corresponding permissions, creating a capability/permission mismatch that can cause unsafe execution without appropriate review or user awareness. In this context, the undocumented shell capability is more concerning because the skill performs network requests and guides automated interaction with protected sites.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description presents a general CAPTCHA-solving helper, but the content also provides browser DOM inspection, token injection, callback invocation, and workflow guidance for bypassing challenge pages on protected sites. This mismatch reduces informed consent and obscures that the skill is enabling active CAPTCHA circumvention rather than merely calling an API.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions omit a warning that page URL, sitekey, and possibly challenge-related context are sent to an external CAPTCHA-solving service. That omission can lead users to transmit data from third-party or sensitive workflows without understanding the privacy, compliance, or terms-of-service implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow tells the agent to inject solved tokens into live pages and submit forms, but provides no warning that this modifies real sessions and can trigger irreversible actions such as account changes, submissions, or policy violations. In the context of CAPTCHA-gated flows, automated submission materially increases the risk of abuse and unintended transactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script directly modifies CAPTCHA-related DOM fields and temporarily changes element visibility, which changes page state and can trigger downstream submission logic without any user confirmation or contextual warning. In this skill's context, the purpose is specifically to inject third-party CAPTCHA solve tokens into websites, so silent mutation of protected verification fields is security-relevant rather than incidental UI automation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code discovers and invokes page-defined callback functions from global objects, data attributes, and widget internals, effectively executing untrusted page-supplied code paths with attacker-controlled timing and input. Because this skill is designed to bypass CAPTCHA workflows, these callback invocations can activate site logic, submit forms, or trigger other sensitive actions without warning, making the pattern more dangerous in context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends the CapMonster API key to an external third-party service but does not validate that the credential is present, expected, or being used in an approved context. In an agent-skill setting, this is security-relevant because the skill automates transfer of a secret to an outside service and provides no guardrails, consent prompt, or domain allowlisting, increasing the chance of unintended credential use or misuse.

Ssd 4

High
Confidence
98% confidence
Finding
This section is a detailed operational playbook for detecting CAPTCHA type, extracting sitekeys, obtaining solver tokens, injecting them into pages, invoking callbacks, and submitting protected workflows. In context, this is not a neutral integration guide; it directly enables bypass of anti-automation controls on real sites, including a Google Scholar example, which can facilitate scraping, account abuse, and evasion of access protections.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 3: Submit to CapMonster API

**Using curl (shell):**

```bash
# Create task
Confidence
90% confidence
Finding
curl (shell):** ```bash # Create task TASK_ID=$(curl -s -X POST https://api.capmonster.cloud/createTask \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Create task
echo "Creating task..."
RESPONSE=$(curl -s -X POST https://api.capmonster.cloud/createTask \
  -H "Content-Type: application/json" \
  -d "{
    \"clientKey\": \"$API_KEY\",
Confidence
90% confidence
Finding
curl -s -X POST https://api.capmonster.cloud/createTask \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Create task
echo "Creating task..."
RESPONSE=$(curl -s -X POST https://api.capmonster.cloud/createTask \
  -H "Content-Type: application/json" \
  -d "{
    \"clientKey\": \"$API_KEY\",
Confidence
90% confidence
Finding
https://api.capmonster.cloud/

External Transmission

Medium
Category
Data Exfiltration
Content
# Create task
echo "🔄 Creating task for: $WEBSITE_URL"
RESPONSE=$(curl -s -X POST https://api.capmonster.cloud/createTask \
  -H "Content-Type: application/json" \
  -d "{
    \"clientKey\": \"$API_KEY\",
Confidence
93% confidence
Finding
curl -s -X POST https://api.capmonster.cloud/createTask \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Poll for result
echo -n "⏳ Waiting for solution"
for i in {1..60}; do
  RESULT=$(curl -s -X POST https://api.capmonster.cloud/getTaskResult \
    -H "Content-Type: application/json" \
    -d "{\"clientKey\": \"$API_KEY\", \"taskId\": $TASK_ID}")
Confidence
84% confidence
Finding
curl -s -X POST https://api.capmonster.cloud/getTaskResult \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Create task
echo "🔄 Creating task for: $WEBSITE_URL"
RESPONSE=$(curl -s -X POST https://api.capmonster.cloud/createTask \
  -H "Content-Type: application/json" \
  -d "{
    \"clientKey\": \"$API_KEY\",
Confidence
93% confidence
Finding
https://api.capmonster.cloud/

External Transmission

Medium
Category
Data Exfiltration
Content
# Poll for result
echo -n "⏳ Waiting for solution"
for i in {1..60}; do
  RESULT=$(curl -s -X POST https://api.capmonster.cloud/getTaskResult \
    -H "Content-Type: application/json" \
    -d "{\"clientKey\": \"$API_KEY\", \"taskId\": $TASK_ID}")
Confidence
84% confidence
Finding
https://api.capmonster.cloud/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal