ClawHub

Browser Hosting

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is purpose-aligned but needs Review because it can control live or remote browsers while understating session, data, and network exposure risks.

Install only if you intend to give an agent browser-control authority. Prefer the isolated openclaw profile, avoid the chrome profile unless you want the agent to use your logged-in browser, and use remote CDP or Browserless only with trusted endpoints, TLS, short-lived tokens, and redacted logs/config. Review before submitting forms, making purchases, changing account settings, posting content, extracting authenticated data, or uploading files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation clearly instructs use of shell commands and implies file-based configuration and bundled scripts, yet it declares no permissions. That mismatch can cause the agent or user to execute capabilities with insufficient visibility or policy gating, undermining least-privilege and informed consent.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill claims browser control is restricted to localhost, but elsewhere documents remote CDP endpoints, browserless hosting, and node proxying to other machines. Conflicting security claims can mislead users into assuming stronger isolation than actually exists, increasing the risk of unauthorized remote control, exposure of browser data, or unsafe trust in remote endpoints.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill enables scraping, form filling, screenshots, PDFs, and network/request monitoring, all of which can capture sensitive personal, credential, or proprietary data. Without explicit privacy and consent warnings, users may unintentionally collect, store, or transmit regulated or confidential information during automation workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow demonstrates entering credentials and extracting page data, but provides no warning that these actions may involve secrets, personal data, or regulated information. In a browser automation skill, this omission can normalize unsafe handling of usernames, passwords, and scraped content, increasing the chance users expose sensitive data in logs, snapshots, shell history, or downstream processing.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The monitoring examples encourage inspecting browser errors and network requests without warning that headers, URLs, payloads, tokens, cookies, or page content may contain sensitive information. In this skill's context, those commands are meant for observability and debugging, so the issue is not malicious functionality, but the lack of privacy and secrecy warnings can still lead to accidental disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages configuring remote CDP endpoints, including examples with embedded credentials and network-accessible browser control, but does not prominently warn that CDP commonly grants full browser session control and access to cookies, page content, and authenticated contexts. In a browser-hosting skill, this omission is especially risky because users may expose a remotely controllable browser or leak tokens through config files, logs, shell history, or screenshots.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal