Back to skill

Security audit

Web Access Clawhub

Security checks across malware telemetry and agentic risk

Overview

This is a real browser-automation skill, but it gives broad control over your logged-in Chrome session with limited safeguards.

Install only if you intentionally want an agent to operate your real Chrome profile. Treat it like granting access to sites where you are already logged in. Avoid banking, admin consoles, private documents, sensitive accounts, and untrusted pages; require explicit approval before uploads, screenshots, purchases, account changes, or use of tokenized URLs; and stop the proxy when finished if you do not want a localhost browser-control API left running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill tells agents to persist and update per-site knowledge files on disk, which exceeds transient web-access behavior and creates an unbounded local write capability. This can be abused to store sensitive browsing-derived data, poison future runs, or silently modify the agent's local knowledge base in ways users did not request.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The /eval endpoint accepts arbitrary JavaScript from the caller and runs it via Runtime.evaluate inside the user's live Chrome target. That gives any local process that can reach this proxy the ability to read page contents, interact with authenticated sessions, extract tokens/data, and perform arbitrary actions as the user, which goes well beyond ordinary web fetching.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The clickAt and setFiles capabilities explicitly aim to simulate trusted user gestures, trigger file dialogs, bypass anti-automation checks, and inject local files into page uploads. In the context of controlling a real user Chrome profile, these features enable stealthier abuse of authenticated sites and exfiltration/upload of local files, increasing the risk far beyond normal automation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Labeling the skill as 'Universal web access' with few trigger constraints encourages invocation across many contexts, including sensitive sites and high-risk tasks. Overbroad activation increases the chance that powerful browsing, shell, and authenticated-session features are used when a narrower, safer tool would suffice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions explicitly direct agents to write or update local site-pattern files without notifying the user, which is a transparency and consent failure. Silent disk modification is dangerous because it can create persistence, alter future agent behavior, and store potentially sensitive observations from browsing sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly describes using DOM.setFileInputFiles to set local file paths and states it can completely bypass the native file dialog. In a web-access skill that handles login-required sites and complex browser automation, this creates a realistic path for silent local file selection and upload without an explicit user confirmation step, increasing the risk of unintended disclosure of sensitive local files.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The screenshot endpoint allows writing captured browser contents to an arbitrary local file path, but the documentation provides no constraints or safety guidance. This can overwrite files, create sensitive artifacts on disk, or store captured authenticated content in unsafe locations, especially in an automation context interacting with private sessions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API advertises browser-level real mouse clicks that can trigger file dialogs and bypass some anti-automation detection. In this skill’s context, emphasizing anti-detection and real user gesture simulation materially increases abuse potential for interacting with protected workflows, consent gates, or upload prompts in ways ordinary scripted clicks cannot.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sensitive endpoints can create tabs, navigate authenticated sessions, execute script, click elements, upload files, scroll, take screenshots, and close tabs with no user-facing warning, confirmation, or meaningful access control. Because this proxy attaches to the user's existing Chrome session, these actions can silently alter state on websites, expose private data, or cause destructive account actions.

Ssd 4

Medium
Confidence
89% confidence
Finding
The skill normalizes working around login walls and access barriers whenever they obstruct obtaining the target content, framing restrictions as obstacles to overcome rather than authorization boundaries to respect. In a tool that uses the user's live Chrome session, this materially raises the risk of unauthorized access to private or account-scoped data and inappropriate interaction with protected services.

Ssd 2

Medium
Confidence
92% confidence
Finding
The guidance recommends switching from programmatic access to human-like GUI interaction specifically because it is less likely to trigger anti-scraping defenses. That is effectively operational advice for evading platform protections, which can facilitate unauthorized scraping or terms-of-service violations at scale.

Ssd 2

Medium
Confidence
90% confidence
Finding
The instructions advise preserving full session-bearing URLs and changing access methods when sites return 'content unavailable,' explicitly suggesting that failures may be due to missing tokens or anti-crawling controls rather than real unavailability. This encourages retaining and replaying access parameters that may carry session context, and adapting tactics to get around site protections.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.