ClawHub

Agent Browser

Security checks across malware telemetry and agentic risk

Overview

Agent Browser appears to be a legitimate browser automation skill, but it gives agents broad control over real websites and logged-in sessions with mostly opt-in safeguards.

Install only if you intentionally want to give an agent broad browser-control authority. Use test accounts or a dedicated browser profile, enable domain allowlists and action policy before sensitive work, avoid importing a personal Chrome session unless necessary, do not place real passwords or tokens inline in commands, encrypt or delete auth state files promptly, and require explicit confirmation for logins, submissions, uploads, purchases, account changes, deletion, or public posting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger description is extremely broad and would cause this skill to activate for many generic web-related tasks, including tasks involving logins, form submission, scraping, and browser automation on arbitrary sites. In an agent setting, over-broad activation increases the chance the model invokes a high-risk browser-capable tool unnecessarily, exposing users to credential handling, data exfiltration, or unintended actions on live websites.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation actively encourages login automation and reuse of authenticated state while noting that session state may contain plaintext tokens, but it does not present a prominent warning about account takeover risk, credential sensitivity, or the danger of storing and replaying session material. In a skill for AI agents, this omission is dangerous because the agent may normalize insecure handling of secrets and persistent auth artifacts across tasks and environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples show literal passwords in commands, which normalizes unsafe secret handling and can lead users to paste real credentials directly into shell commands. Secrets entered this way may be exposed in shell history, process listings, shared terminal logs, screenshots, or copied documentation, making credential compromise more likely in a browser automation context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The HTTP Basic Auth example uses placeholder credentials as positional arguments without warning that this pattern is sensitive and commonly leaks secrets via shell history and process inspection. Because browser automation is often run on developer workstations and CI agents, this documentation can directly encourage unsafe operational practices.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cookie-based auth example shows a session token being set literally, which is more dangerous than a password example because a valid session token can often be used immediately without additional authentication. In this skill's context, session reuse and authenticated browsing are core features, so normalizing direct token handling materially increases the risk of account takeover if users expose real tokens in logs, history, or shared scripts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented screenshot, PDF, video, trace, profile, and state-saving commands persist potentially sensitive browser contents to disk without any warning about the risk of capturing credentials, personal data, session tokens, or internal application content. In a browser-automation skill, these artifacts are especially sensitive because they may include full-page state, authenticated views, and debugging telemetry that can later be exfiltrated or reused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Commands for setting credentials, reading cookies/localStorage, and saving authentication state directly handle secrets and session material, yet the documentation provides no privacy or security warning. In an agent-driven browser context, this increases the chance that operators or downstream agents will expose passwords, tokens, or reusable authenticated state without understanding the sensitivity of these values.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The eval command enables arbitrary JavaScript execution in the page context, but the reference omits any warning that such scripts can mutate DOM state, submit forms, trigger purchases, alter settings, or extract sensitive in-page data. Because this skill is specifically meant for automation, normalizing eval without guardrails makes unintended or unsafe actions much more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The network routing, request inspection, header injection, and proxy features can observe, modify, block, or reroute browser traffic, yet the documentation does not warn that this may expose credentials, API data, cookies, or alter security-sensitive requests. In a browser agent, these capabilities materially increase the risk of interception, tampering, and unintended data disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The profiling guide instructs users to capture and save Chrome trace data but never warns that trace files can contain sensitive browsing metadata, URLs, timing information, user interaction details, and potentially application-specific identifiers. In a browser automation skill, this omission is more dangerous because agents may profile authenticated sessions, internal apps, or user workflows, increasing the chance that sensitive operational data is collected and later exposed through logs, artifacts, or shared files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation demonstrates embedding proxy usernames and passwords directly in environment variables and proxy URLs without warning that these secrets can leak via shell history, process listings, logs, CI output, or copied terminal sessions. In an agent-browser skill, this is more dangerous because users may automate browsing in shared environments or have agents generate/debug commands, increasing the chance that credentials are exposed or persisted unintentionally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation shows saving and loading browser session state without prominently warning that the file can contain cookies, storage data, and active authentication material sufficient to restore logged-in sessions. In a browser automation skill, this is especially sensitive because users may routinely automate authenticated workflows, so an exposed state file can enable account hijacking or lateral access to protected web apps.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This documentation encourages recording browser sessions, including examples that fill login forms and passwords, but never warns that videos can capture credentials, session tokens, personal data, or other sensitive on-screen information. In an agent-browser skill, this is more dangerous because recordings may be generated during authentication flows, CI runs, or debugging and then stored, shared, or uploaded as artifacts, creating a secondary data-exposure channel.

Session Persistence

Medium
Category
Rogue Agent
Content
### Load Session State

```bash
# Restore saved state
agent-browser state load /path/to/auth-state.json

# Continue with authenticated session
Confidence
91% confidence
Finding
Restore saved state

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal