Cdp Browser

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed browser-control tool, but it gives an agent broad access to logged-in browser tabs and posting actions that deserve careful review before use.

Install only if you intend to let OpenClaw control a browser session. Use a separate Chrome/Chromium profile with only the accounts and tabs needed, avoid Gmail or other sensitive sessions unless required, review page-reading and screenshot requests explicitly, and clear pending tweet files and screenshots after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill exposes meaningful capabilities over a persistent browser session, including network access via CDP/Playwright and use of environment/config paths, yet the skill metadata does not declare permissions or clearly bound those capabilities. In an agent setting, undeclared capabilities are dangerous because they weaken policy enforcement and can lead operators to invoke a skill that can read private browser data or act on logged-in sessions without adequate review.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates several sensitive behaviors: reading page text/HTML/URL from logged-in tabs, writing pending tweet state to disk, and integrating with Telegram confirmation flows. This mismatch is security-relevant because users may treat the skill as simple browser navigation/posting while it can also extract private page content and persist action state, increasing the risk of unintended data exposure or unauthorized actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill is designed to operate against a persistent, possibly logged-in browser session, including accounts like X and Gmail, but the description does not prominently warn that invoking it may expose private account data or trigger actions as the logged-in user. In this context, that omission materially increases risk because an agent may query sensitive page content or manipulate authenticated sessions under the user's ambient credentials.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The Telegram confirmation flow writes pending tweet data, including text and tab ID, to a workspace file, but the documentation does not strongly warn about this persistence or retention. Even though the data appears limited, local persistence can leak sensitive draft content, confuse later sessions, or enable replay/posting if cleanup is incomplete.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This skill performs unauthenticated network operations against a local Chrome DevTools Protocol endpoint that can control a persistent, logged-in browser session, but it provides no explicit warning, consent gate, or disclosure to the user. In this skill context, that is especially dangerous because the browser may already be authenticated to sensitive services like X or Gmail, enabling navigation and actions with the user's existing session and creating a high risk of account misuse, data exposure, or unintended side effects.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The query action allows unrestricted extraction of page URL, text, and HTML from any browser tab reachable through the persistent CDP session, then prints the result to stdout. In this skill's context, the browser may already be logged into sensitive services like Gmail or X, so an agent or downstream caller can exfiltrate private page contents, tokens in DOM, email text, or other confidential data without any confirmation, origin restrictions, or redaction.

Session Persistence

Medium

Category: Rogue Agent
Content: - **tweet-draft** (default): Fills the compose box; user reviews in browser and posts manually. - **tweet-post**: Requires `--confirm` as second arg (strict). Use when user explicitly approves ("go ahead", "post it", or Telegram confirm button). - **Optional Telegram confirm:** When `tweet.confirmButton` is enabled in config, the agent can run `tweet-draft --save-pending` to write pending state, then send a message with an inline "Confirm Post" button. On confirm, the agent runs `tweet-post --confirm`. ### Config (required for Telegram confirm button)
Confidence: 88% confidence
Finding: write pending state, then send a message with an inline "Confirm Post" button. On confirm, the agent runs `tweet-post --confirm`. ### Config (required for Telegram confirm button) The Telegram "Conf

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal