ClawHub

playwright-browser

Security checks across malware telemetry and agentic risk

Overview

The main browser automation feature is plausible, but the package also includes unrelated scripts that read local attendance files and save website images/reports to Desktop without clear disclosure.

Review the bundled scripts before installing. Use only the main browser_agent.py in an isolated browser/session, avoid sensitive logged-in sites when API capture is enabled, and do not run the attendance, Sina image, Sina test, or 12306 scripts unless you explicitly want those hard-coded local or site-specific actions and accept the files they may save.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions even though it advertises and, per the findings, exercises network and filesystem-capable behavior. That mismatch undermines user and platform trust boundaries: a browsing skill that can read/write local files and access the network without explicit declaration can be invoked in contexts where the user does not expect local data access or persistent output.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a strong true positive because the documented purpose is generic web browsing/extraction, while the detected behavior includes unrelated local file reads, Excel generation, fixed-path writes, image downloads, and site-specific automation. Hidden or undeclared capabilities materially increase risk: they can exfiltrate or manipulate local data, create unexpected artifacts on disk, and perform actions outside the user’s apparent request.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill exposes arbitrary page interaction primitives such as clicking selectors and filling form fields, which go beyond passive browsing and extraction. In an agent setting, this can enable unintended state-changing actions on third-party sites, including submitting forms, triggering purchases, or altering account settings if the browser has an authenticated session.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The browser is launched with anti-automation evasion settings, including disabling AutomationControlled and weakening site isolation features, despite the stated purpose being ordinary browsing and data extraction. This increases stealth and reduces browser security boundaries without a clear need, making misuse and exposure to hostile web content more concerning.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script writes downloaded website content directly to a persistent local folder on the user's Desktop, which exceeds ordinary in-browser browsing/extraction behavior and creates side effects on the host system. In an agent setting, silent local file creation is risky because it can consume disk space, retain unwanted third-party content, and surprise users who only requested page viewing or extraction.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The response hook captures and saves essentially all image responses from the target site, turning the skill into a bulk downloader rather than a narrowly scoped browser automation tool. In the skill context, this broad collection increases the chance of over-collection, unnecessary storage of third-party/tracking assets, and misuse for mass content harvesting beyond the user's immediate request.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file is materially unrelated to the declared Playwright browser-automation skill and instead scans a local Desktop folder, parses attendance/HR-style text records, and generates an Excel report. That mismatch is dangerous because it indicates hidden capability for local data collection and processing of sensitive employee information, which could enable unauthorized access or exfiltration of personal/workforce records under the guise of a browsing skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script hard-codes access to a local Desktop attendance directory and writes a consolidated Excel workbook, which is not justified by the skill's web-browsing purpose. In context, this creates an unnecessary local data-processing path for potentially sensitive HR information, increasing the risk of covert collection, repurposing, or later exfiltration of employee attendance data.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases are broad enough to match many ordinary browsing requests, increasing the chance that this powerful skill is auto-selected when a narrower, safer capability would suffice. In context, that matters because the skill can drive a real browser and capture network responses, so over-triggering expands exposure to sensitive sites, authenticated sessions, and unintended automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Capturing XHR/fetch responses can collect session-bound API data, personal information, tokens, or other sensitive content rendered behind authentication, yet the safety guidance only gives a generic warning about suspicious URLs. In a real-browser, non-headless context, this is more dangerous because the browser may carry cookies and active sessions, making network interception far more sensitive than simple page scraping.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code captures full network response bodies for xhr, fetch, and document requests and stores them for later retrieval without minimization or user-facing disclosure. These responses can contain sensitive data such as API tokens, personal information, session-bound content, or internal application data that users may not realize is being collected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When API hooking is enabled, the CLI prints captured response content directly to stdout, which can leak sensitive remote data into logs, terminals, calling processes, or downstream telemetry. Because this happens automatically and without a strong warning, operators may expose confidential content unintentionally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs persistent writes of intercepted website images to the user's Desktop without any confirmation, warning, or opportunity to restrict the action. In an agent skill, undisclosed local file writes are dangerous because they violate least surprise, can store large amounts of untrusted remote content, and may conflict with user expectations or local security policies.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal