ClawHub

Passo - Remote Browser Access

Security checks across malware telemetry and agentic risk

Overview

Passo has a coherent remote-browser purpose, but it asks users to run an unpinned remote installer and enables sensitive login/2FA sessions with limited safety guidance.

Install only on an isolated disposable server, review the installer before running it, verify the protected email, avoid highly sensitive accounts unless you trust Passo’s security model, clear sessions after use, and stop the tunnel when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly encourages sharing remote browser access so another party can perform logins, 2FA, and captcha handling on a server-hosted browser. That creates a serious account-security and privacy risk because the remote user may gain access to authenticated sessions, sensitive page contents, cookies, or account recovery flows, and the skill provides no warnings, scoping limits, or guidance on safe use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation command downloads a remote script and immediately executes it with bash, which bypasses review and trusts whatever content is served at that URL at execution time. If the upstream repository, distribution path, or network trust boundary is compromised, arbitrary code will run on the user's server with the privileges of the invoking user.

External Script Fetching

Low
Category
Supply Chain
Content
Run this on the server where you want the browser:

```bash
curl -fsSL https://raw.githubusercontent.com/felipegoulu/passo-client/main/install.sh | bash
```

The script will:
Confidence
93% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/felipegoulu/passo-client/main/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
Run this on the server where you want the browser:

```bash
curl -fsSL https://raw.githubusercontent.com/felipegoulu/passo-client/main/install.sh | bash
```

The script will:
Confidence
99% confidence
Finding
| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal