web-llm-chat

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for controlling a Qwen browser chat, but it asks for powerful browser-relay access and page-reading abilities without enough user-facing privacy and credential warnings.

Install only if you are comfortable giving the skill access to a local browser relay that can inspect and control Qwen tabs. Use a dedicated browser profile with no unrelated sensitive tabs, avoid sending confidential prompts or documents, protect and rotate the relay token if exposed, and treat the read command as potentially capturing the whole visible page or conversation history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The `read` command prints `document.body.innerText`, which captures the entire Qwen tab content rather than only the latest model reply. In a browser chat context this can expose prior conversations, prompts, sidebar/history text, and any other sensitive data rendered on the page, creating unintended data disclosure beyond the skill's stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script reads the local OpenClaw configuration file and derives a relay authentication token from it, which gives it access to the local browser relay. That capability is security-sensitive and broader than simply 'chatting with Qwen'; if misused or combined with other commands, it enables authenticated access to relay-controlled browser data and actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill promotes sending prompts and reading page content through a local relay into a logged-in third-party web LLM, but the description does not clearly warn that user messages and potentially sensitive browser content leave the local agent boundary and are exposed to an external service account. In this context, the danger is elevated because the skill is explicitly intended for research workflows, multi-turn investigations, and page-content reading, increasing the likelihood that confidential data is transmitted unintentionally.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill declares broad trigger phrases such as "browser AI chat" and "free AI search," which can overlap with ordinary user requests and cause unintended invocation. In this skill's context, accidental activation is more dangerous because the tool can drive a browser-connected LLM and access current chat/page state, potentially sending user content to a third-party web service without clear intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation advertises the ability to read the current page content and conversation history but does not warn that this may expose sensitive data present in the browser tab, including prompts, uploaded material, account information, or other private content. This is especially risky here because the skill is designed to interact with a logged-in third-party LLM page, so users may reasonably have confidential research or personal data visible in that session.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to place the gateway authentication token into a browser extension configuration, but it does not warn that this token is a sensitive credential that enables authenticated access to the relay. In the context of a skill designed to control browser tabs and interact with web LLM sessions, mishandling or exposing this token could allow unauthorized local or adjacent access to relay endpoints and browser-control capabilities.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation enumerates authenticated endpoints and a CDP workflow that supports tab enumeration, JavaScript execution, and navigation, but it omits any warning that these APIs provide powerful remote inspection and control over browser tabs. Given this skill's purpose—driving a live browser tab connected to web-based LLMs—this materially increases the risk of session abuse, data exfiltration, prompt leakage, or unauthorized actions if the relay is exposed or the token is compromised.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Silently harvesting authentication material from a local config file without a clear user-facing warning violates least surprise and weakens user consent around sensitive local secrets. Even though the script derives rather than prints the token, it still obtains privileged credentials that can be used to access the local relay and automate or inspect browser state.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The `read` command dumps the entire page text with no meaningful privacy warning, which can disclose sensitive chat content and surrounding page data to whoever invokes the skill. Because the skill markets itself as a chat/search helper, users may reasonably expect message-scoped behavior, not full-page extraction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal