ClawHub

Selenium

Security checks across malware telemetry and agentic risk

Overview

This is a real Selenium/Membrane integration, but it gives agents broad authenticated browser/API request capability without tight scope or confirmation controls.

Install only if you trust Membrane and need Selenium automation through that service. Use a least-privilege Membrane account or connection, review authentication scopes, avoid sensitive browser sessions when possible, and require explicit user confirmation before any raw proxy request, especially POST, PUT, PATCH, or DELETE.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest says the skill is for interacting with 'Selenium data,' but the body describes much broader capabilities: browser automation, connection creation, action discovery, and direct proxying to external endpoints. This mismatch can cause an orchestrator or user to invoke the skill under a narrower trust assumption than its actual power, increasing the risk of unintended external access or misuse.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes a generic authenticated proxy request path that can send arbitrary methods, headers, bodies, query parameters, and path parameters through an existing Membrane connection. That is materially broader than a Selenium-focused integration and can be abused to reach unintended endpoints or perform sensitive state-changing operations under delegated credentials.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is broad and ambiguous ('manage data, records, and automate workflows'), which can cause overbroad routing and make the skill eligible for requests beyond a narrowly intended Selenium use case. In the context of a skill that also supports external connections and proxy requests, vague activation language increases the chance of inappropriate autonomous use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal