ClawHub

automation browser

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is mostly purpose-aligned, but it installs system software, starts a background local service, writes logs, and logs typed text in ways users should review before installing.

Install only if you trust the QQ Browser/x5use supply chain and are comfortable with system-level package installation and a background local browser-control service. Avoid entering secrets through input_text.py until raw input logging is removed or masked, and verify where downloads and /usr/local/qb_logs are stored and cleaned up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes significant capabilities—shell execution, network access, filesystem writes via downloads, and a local service/MCP-style control plane—without declaring permissions or warning consumers. That creates a trust and review gap: operators may approve a seemingly simple browser automation skill while it can install software, start background services, and write files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose understates the actual operational behavior by omitting remote package installation, background service management, and other side-effecting actions. This mismatch is dangerous because reviewers may treat it as routine browser automation when it also alters the host environment and establishes persistent local control components.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The skill silently ensures a local service is running by spawning an external binary and writing logs under /usr/local/qb_logs, which exceeds a narrow browser-control client role and creates additional execution and persistence-like behavior. In an agent environment, this increases attack surface because installation/PATH manipulation or a trojanized x5use-linux-mcp binary could cause unintended code execution, and automatic background service startup may bypass operator expectations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises file downloads but does not disclose where content is stored, how filenames are chosen, or the filesystem impact. In a browser automation context, downloading arbitrary remote content can consume disk space, introduce unsafe files into shared locations, or create follow-on risks if other tooling later processes those files.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script logs the full text being entered into the browser, which may include passwords, tokens, personal data, or other secrets supplied on the command line. In a browser automation skill, input text is especially likely to be sensitive, and plaintext logging can expose it through console output, log files, centralized logging systems, or error reports.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal