ClawHub

Jarvis Browser Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is for browser-control setup, but it handles a powerful control token and unreviewed local server/extension code with weak disclosure and scoping.

Review the actual server and extension code before running this skill. Treat the generated folder, config.json, README.md, and terminal output as sensitive secrets; only run the WebSocket server on a trusted network, do not share the token broadly, and rotate/regenerate it if it appears in logs or shared files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises automated setup that writes configuration and extension artifacts, yet it does not declare the corresponding file access permissions. Undeclared file read/write capabilities reduce transparency and prevent users or policy systems from accurately assessing what the skill can modify, which is dangerous for a setup flow that handles auth tokens and local configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a substantive description-behavior mismatch involving security-sensitive actions: probing network configuration, printing the generated auth token to stdout, and failing to fully propagate the token into all generated components. Users are told the process is fully automated and secure, but the observed behavior can leak secrets, misconfigure authentication, and start a server under misleading assumptions, increasing the chance of unauthorized access or insecure deployment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README explicitly describes generating and distributing a unique auth token and packaging it into configuration and extension files, but it does not warn about secure storage, transmission, rotation, or the risk of exposing the token in generated artifacts. In a browser-control system, that token is effectively a bearer secret; mishandling it could allow unauthorized remote control if the package or config is shared, leaked, or left on disk insecurely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase is overly broad and framed as a natural-language command without scope limits, making accidental or context-insensitive activation more likely. Because this skill performs sensitive setup actions such as token generation, file creation, and server startup, an imprecise trigger raises the risk of unintended system modification.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The description promises fully automated token generation, server configuration, and extension preparation without warning that the skill modifies the system and may expose sensitive artifacts. In a security-relevant setup workflow, omitting those warnings undermines informed consent and can cause users to run code that changes files and launches network services unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Claims such as 'No manual steps required' and 'does everything automatically' downplay the fact that the workflow generates secrets and may automatically start a WebSocket server. This messaging is particularly risky in the context of browser control infrastructure, where sensitive credentials and exposed local services should be surfaced clearly rather than hidden behind convenience language.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script generates an authentication token, prints it to stdout, and writes it to disk in a package meant to be shared. In this skill's context, that token grants browser-control capability, so exposing or persistently storing it increases the chance of credential leakage through logs, shell history capture, screenshots, backups, or accidental redistribution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal