ClawHub

Browser Automation

Security checks across malware telemetry and agentic risk

Overview

This is a useful browser automation skill, but it gives agents broad control over real logged-in browser sessions without enough safety boundaries.

Install only if you intentionally want an agent to control browser pages. Prefer the sandbox target, avoid profile="user" except for attended tasks, never give the agent passwords or one-time codes, and require explicit confirmation before login, form submission, purchase, deletion, account changes, or actions on private sites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly documents an `evaluate` action that accepts arbitrary JavaScript strings and executes them in the browser page context. While page-context execution is a common browser automation capability, exposing it broadly in a general-purpose skill materially increases capability from UI automation to unrestricted DOM/script interaction, enabling data extraction, page manipulation, and potentially unsafe workflows on sensitive pages.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation expands operation from a managed sandbox browser to `host` and `node` targets, including a user's own browser session. That broadens the trust boundary significantly beyond the stated built-in browser control and introduces access to local authenticated state, remote environments, and potentially sensitive enterprise contexts.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are very broad and overlap with ordinary requests like 'browse this' or 'open webpage,' increasing the chance the skill is invoked in contexts the user did not intend. For a high-capability browser-control skill, overbroad routing can unintentionally grant automation, navigation, extraction, or interaction powers on arbitrary sites.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises use with `profile="user"` and active logins, but does not pair that capability with strong safety and privacy constraints. Operating a logged-in user browser exposes cookies, session state, private data, and the ability to take actions as the user, which is substantially more dangerous than sandboxed browsing.

Missing User Warnings

High
Confidence
96% confidence
Finding
The login recipe demonstrates entering plaintext usernames and passwords directly in the skill documentation, normalizing insecure secret handling and encouraging credential submission through automation. In the context of host-browser and logged-in-session support, this materially raises the risk of credential exposure, replay, misuse, or unsafe delegation of authentication actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal