ClawHub

Pagerunner Skill

Security checks across malware telemetry and agentic risk

Overview

Pagerunner appears to be a real browser automation skill, but it needs review because it gives agents broad access to logged-in Chrome sessions, persistent auth state, recordings, stealth mode, external posting, and secret-handling tools.

Install only if you are comfortable giving Pagerunner control over real logged-in browser sessions. Use dedicated low-privilege Chrome profiles, enable domain allowlists and anonymization for sensitive work, avoid stealth mode unless explicitly approved, do not store long-lived credentials in general KV, treat snapshots and recordings like credentials, and require human confirmation before agents submit forms, post externally, change account data, or run commands with sealed secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (29)

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Telling users to store credentials in KV encourages placing secrets into a generic coordination store that may be readable by multiple agents, retained indefinitely, or insufficiently access-controlled. In a browser automation system with multi-agent workflows and persistence features, this materially increases the risk of credential disclosure, replay, and lateral movement.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The debugging section explicitly discusses extracting login credentials or email values from live pages via get_content/evaluate. In a browser automation skill, this materially enables collection of secrets from authenticated sessions, and the examples normalize credential retrieval without strong scoping, authorization, or redaction guidance. Because this skill advertises authenticated sessions and session persistence, the context makes credential scraping more dangerous, not less.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The examples explicitly show using the skill environment to send data to a Slack webhook via arbitrary outbound HTTP, extending the skill from browser automation into general-purpose data exfiltration and API posting. In an agent context with access to authenticated browser sessions and scraped project data, this creates a real risk of transmitting sensitive internal information to external endpoints without strong user consent, destination controls, or data classification checks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This example repurposes the skill as a generic multi-agent scraping, analysis, KV coordination, credential retrieval, and internal API posting framework rather than a narrowly scoped Chrome automation tool. That broadens operational power significantly and can normalize use of the skill for bulk collection and onward transmission of data, increasing the chance of misuse, overcollection, and unauthorized system interaction.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation explicitly promotes 'stealth mode' to mask automation signals and avoid site detection. That capability materially increases the tool's misuse potential for bypassing anti-bot controls and operating against sites in ways users or site owners may not expect, especially because the examples frame evasion as a benefit rather than a restricted or exceptional use case.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The `use_secret(name, command, args)` capability explicitly allows running an arbitrary subprocess with a sealed secret piped to stdin. That materially expands the skill from browser automation into local command execution, creating a powerful exfiltration and system-abuse path if an agent or prompt is compromised. The sealed-secret boundary protects transcript exposure, but it does not reduce the risk of misuse once arbitrary commands can consume those secrets.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
`generate_adapter` sends recent network log entries plus a natural-language goal to an external model API, which introduces data egress beyond the core Chrome automation scope. Because network logs may contain sensitive URLs, headers, metadata, or business context, this creates a privacy and secret-leak risk unless redaction and opt-in controls are very clear and enforced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation normalizes auto-reattach and persistence of tabs, cookies, and session state across daemon restarts without a prominent warning that authenticated browser state remains available after process restarts. This can surprise operators and lead to unauthorized reuse of live sessions on shared machines, long-lived access beyond user expectations, and weakened session hygiene.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The auto-checkpoint and retention section recommends automatic state saving and even indefinite retention without clearly warning that sensitive browser state may be written to disk for extended periods. Session artifacts can include tokens, cookies, page content, and form data, creating a meaningful at-rest exposure if the host or storage is compromised.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Auto-recovery and pre-sleep checkpointing are framed as transparent resiliency features, but the text does not clearly disclose that the system is automatically saving and restoring session state during failures and sleep cycles. That omission can cause users to underestimate how much sensitive context persists and is recoverable without renewed authentication.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The recording guidance acknowledges personal-profile risk but does not prominently warn that any recording may capture credentials, MFA prompts, PII, internal documents, chat content, or other sensitive data visible during automation. Because recordings are retained and can be used for debugging or compliance, they create a durable secondary copy of sensitive activity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file recommends tailing and filtering audit logs, including inspecting pii_entities, but does not warn that audit logs may themselves contain sensitive operational metadata or regulated data. In a tool centered on authenticated browsing and PII anonymization, encouraging casual log inspection can lead to secondary disclosure of sensitive information to operators, downstream tools, or terminals with weaker controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow describes collecting Jira board data and posting a summary to Slack, but it omits an explicit warning that internal project information will leave the source system and be transmitted to another endpoint. In practice, agents may copy issue titles, statuses, and potentially sensitive release details into Slack channels or webhooks that have different retention, visibility, and compliance properties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example encourages use of pre-authenticated profiles and snapshots but does not warn that these artifacts effectively grant account access to anyone or any agent able to invoke them. In this skill's context, authenticated sessions materially increase the blast radius of mistakes or prompt injection, because the agent can act with real user privileges across enterprise services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The authentication snapshot pattern normalizes saving and restoring authenticated session state and explicitly says future restores can skip TOTP entirely. Persisting post-auth cookies or session artifacts without strong warnings and controls increases the risk of account takeover, lateral reuse of privileged sessions, and long-lived compromise if snapshots are copied, mishandled, or restored in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown recommends stealth mode for hiding automation signals and gives concrete scenarios for using it, but omits warnings about legal, contractual, and abuse implications. In a browser-automation skill, presenting detection evasion as standard guidance lowers the barrier to abusive automation and can facilitate violations of site controls or monitoring expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README prominently encourages automation using existing authenticated Chrome profiles but does not pair that guidance with clear warnings about the consequences of letting an agent act inside a real logged-in session. In this context, the skill can access live accounts, private data, and perform state-changing actions, so missing safety guidance materially increases the chance of unintended disclosure or account-impacting behavior by users who may treat it as low-risk automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The WhatsApp/Jira example normalizes sending work-derived results back to a phone or messaging workflow without warning that summaries, screenshots, or extracted content may contain sensitive corporate information. Because the example targets autonomous mobile-triggered operation, users may unintentionally route confidential data into less-controlled channels, increasing data leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented auto-record mode captures every recording-enabled session by default and explicitly recommends it for CI, compliance, and long-running autonomous tasks, but it does not require consent gates, scoping, or prominent privacy safeguards. In a browser automation tool handling authenticated sessions, this can easily capture secrets, personal data, internal dashboards, or unrelated on-screen content, creating a real privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The KV documentation uses an API key as an example and does not warn users that KV is general persistent storage rather than a secret-safe store. This encourages storing credentials in a facility that may be more broadly readable, exportable, or logged than the dedicated sealed-secret mechanism, increasing the chance of accidental credential disclosure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The snapshot and restore documentation emphasizes convenience but does not prominently warn that saved authenticated state can bypass future login and MFA challenges. In practice, these snapshots are highly sensitive bearer artifacts; if copied, mis-scoped, or restored into the wrong profile, they can silently regrant account access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly promotes using an already-authenticated Chrome profile with existing login sessions, cookies, and browser history, but does not pair that capability with a clear warning about account misuse, privacy exposure, or unintended actions on behalf of the user. In an agent-executed automation context, this materially increases the risk of unauthorized reads/writes across sensitive web accounts if the user misunderstands the trust boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The phone-triggered unattended workflow describes restoring an authenticated snapshot and performing work on Jira without emphasizing that the agent may access or modify data in a live account without real-time human review. Because the feature is explicitly designed for unattended use on pre-authenticated sessions, the surrounding context makes the omission more dangerous rather than less.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script explicitly opens a browser session using a personal Chrome profile and then takes a screenshot, which can expose authenticated content, personal browsing state, cookies-backed sessions, and other sensitive on-screen data. In this skill context, the example is meant for local frontend verification, but using a personal profile makes accidental access to unrelated tabs or sensitive account data more likely if the automation context is broader than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example operationalizes long-lived authenticated browser snapshots and an always-on daemon, which materially increases the attack surface if the host, profile, snapshot storage, or daemon interface is compromised. Because the script frames this as a convenience workflow and omits security constraints, users may treat persisted authenticated state as routine, enabling unauthorized access to Jira and other session-backed resources without re-authentication.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal