ClawHub

Browser Relay

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a browser relay, but it gives an AI broad control of a local Chromium browser and possible logged-in sessions.

Install only if you intentionally want an agent to control a local Chromium browser. Use a VM/container or a fresh dedicated browser profile, avoid opening sensitive accounts in that browser, verify Telegram bot and chat settings before sending screenshots, pin dependencies if possible, and stop both the relay and remote-debugging Chromium when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill presents itself as a browser relay and screenshot helper, but it also exposes broad browser automation and arbitrary JavaScript execution via /evaluate. In context, that means an agent can inspect DOM state, interact with authenticated sessions, and potentially access sensitive in-browser data well beyond the narrowly advertised purpose, increasing the chance of misuse or unsafe delegation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to pull Telegram Bot credentials from memory or session state, which expands access beyond browser control into unrelated secret retrieval. That creates a cross-domain secret exposure path: a browser automation skill should not need broad access to previously stored credentials unless those secrets are passed in explicitly for the current task.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The /evaluate endpoint exposes arbitrary JavaScript execution in the context of whatever page is open in the user's local Chromium instance. That enables reading page DOM content, extracting tokens or sensitive data from authenticated sessions, and triggering privileged actions on behalf of the user far beyond the documented screenshot/browser-relay behavior. In this skill context, controlling a user's local browser specifically to bypass IP restrictions makes this more dangerous because it is likely to be used against logged-in, trusted browser state.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly instructs users to transmit browser screenshots to Telegram, which is a third-party service, but does not include a clear warning that captured content may contain sensitive data such as session state, personal information, or confidential pages. In a browser-control relay context, screenshots can easily expose private content, making omission of a privacy warning a real security concern.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This service exposes navigation, clicking, typing, keypress, tab management, screenshots, scrolling, waiting, and page evaluation against the user's local browser without any user-facing consent, warning, or visibility controls. Even though it uses a bearer token and binds to localhost, any local process, plugin, or agent that obtains the token can silently drive authenticated sessions, read sensitive content, and perform destructive actions in the browser. The skill context increases risk because the stated purpose is remote relay of a local browser, which naturally bridges untrusted automation into a trusted user environment.

External Transmission

Medium
Category
Data Exfiltration
Content
# 2. Send to Telegram
TG_BOT_TOKEN="your-bot-token"
TG_CHAT_ID="your-chat-id"
curl -s -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendPhoto" \
  -F "chat_id=${TG_CHAT_ID}" \
  -F "photo=@/tmp/relay_screenshot.png"
```
Confidence
95% confidence
Finding
curl -s -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendPhoto" \ -F "chat_id=${TG_CHAT_ID}" \ -F "photo=@/tmp/relay_screenshot.png" ``` ### Tab Management ```bash # New tab curl -s -H "

External Transmission

Medium
Category
Data Exfiltration
Content
# 2. Send to Telegram
TG_BOT_TOKEN="your-bot-token"
TG_CHAT_ID="your-chat-id"
curl -s -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendPhoto" \
  -F "chat_id=${TG_CHAT_ID}" \
  -F "photo=@/tmp/relay_screenshot.png"
```
Confidence
95% confidence
Finding
https://api.telegram.org/

External Transmission

Medium
Category
Data Exfiltration
Content
# 2. 通过 Telegram Bot API 发送图片
TG_BOT_TOKEN="<从 session_state 或 memory 获取>"
TG_CHAT_ID="<从 session_state 或 memory 获取>"
curl -s -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendPhoto" \
  -F "chat_id=${TG_CHAT_ID}" \
  -F "photo=@${SCREENSHOT_PATH}"
```
Confidence
96% confidence
Finding
curl -s -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendPhoto" \ -F "chat_id=${TG_CHAT_ID}" \ -F "photo=@${SCREENSHOT_PATH}" ``` Telegram 配置: - Bot Token 和 Chat ID 从 memory 或 session_sta

External Transmission

Medium
Category
Data Exfiltration
Content
# 2. 通过 Telegram Bot API 发送图片
TG_BOT_TOKEN="<从 session_state 或 memory 获取>"
TG_CHAT_ID="<从 session_state 或 memory 获取>"
curl -s -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendPhoto" \
  -F "chat_id=${TG_CHAT_ID}" \
  -F "photo=@${SCREENSHOT_PATH}"
```
Confidence
96% confidence
Finding
https://api.telegram.org/

Unpinned Dependencies

Low
Category
Supply Chain
Content
aiohttp
websockets
Confidence
96% confidence
Finding
aiohttp

Unpinned Dependencies

Low
Category
Supply Chain
Content
aiohttp
websockets
Confidence
96% confidence
Finding
websockets

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
aiohttp

Known Vulnerable Dependency: websockets — 4 advisory(ies): CVE-2018-1000518 (websockets is vulnerable to denial of service by memory exhaustion); CVE-2021-33880 (Observable Timing Discrepancy in aaugustin websockets library); CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly C) +1 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
websockets

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal