ClawHub
Back to skill

Security audit

Safari Control

Security checks across malware telemetry and agentic risk

Overview

This Safari automation skill is coherent, but it gives an agent high-risk access to the user’s real logged-in Safari session, including raw cookie and browser-storage export, without enough built-in warning or consent controls.

Install only if you are comfortable letting an agent operate your real Safari profile. Avoid using it on banking, healthcare, admin, email, work, or shopping sessions unless necessary. Do not allow cookie/storage export or mutation unless you explicitly asked for that exact action and understand it may reveal or change active login/session data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The session restore capability can recreate and mutate the user's Safari window/tab state, which exceeds the described lightweight interaction scope and can cause unintended navigation, reopen sensitive sites, or disrupt an active session. In an agent setting, broader-than-advertised state mutation is dangerous because it enables persistent browser changes without clear user awareness.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill can export cookies and local/session storage directly from the live Safari session, which exposes authentication tokens, session identifiers, CSRF material, and other secrets from the user's real browser context. Because this skill is explicitly attached to the user's real Safari session, the context makes this more dangerous than normal browser automation: it can exfiltrate high-value secrets from sites where the user is already logged in.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents destructive commands like closing tabs and windows in the user's real Safari session without requiring confirmation, warning about live-session impact, or recommending session preservation first. In this context, the tool operates on the user's actual browsing state, so accidental or overly eager agent use could cause data loss, disrupt active work, or close authenticated workflows.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The export section encourages saving screenshots, HTML, text, links, tables, and bundles to local disk but does not clearly warn that these commands create persistent artifacts that may contain sensitive browsing content. Because this skill targets the user's real Safari session, exported files can capture authenticated data, personal information, or confidential page contents and leave them on disk beyond the active task.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Exporting cookies without an explicit warning or consent flow is dangerous because cookies commonly contain active session material that can enable account takeover if disclosed. In this skill's context, the cookies come from the user's real Safari session, so silent export materially increases the risk of secret exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
localStorage and sessionStorage often hold JWTs, API tokens, profile data, and application state, so exporting them without clear disclosure can leak highly sensitive information. This is especially risky in a tool designed to operate in the user's real, authenticated Safari session.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Saving Safari screenshots to disk without a clear user-facing disclosure can capture visible secrets such as emails, account details, messages, or documents from the live browser window. While screenshotting is within the stated skill purpose, the lack of warning and default persistence to disk creates avoidable privacy and data-handling risk.

Ssd 3

High
Confidence
98% confidence
Finding
These commands expose cookies and storage in plain JSON output or files, making it trivial for an agent to read back and relay sensitive session data in natural-language responses or persist it unencrypted. In the real-Safari-session context, this can directly leak credentials and account tokens from already authenticated services.

Ssd 3

High
Confidence
92% confidence
Finding
Snapshot and bundle features aggregate page text, forms, links, tables, and screenshots into files on disk, which can capture large amounts of personal, financial, or enterprise-sensitive data from authenticated pages. Because the skill targets the user's real Safari session, the collected data may include private content far beyond what is necessary for lightweight interaction.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.