ClawHub

opencli

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as website data fetching, but it can also act through logged-in browser and desktop app sessions to post, message, delete, write, and change account state.

Install only if you intentionally want broad OpenCLI automation through your logged-in browser and desktop app sessions. Use a separate Chrome profile with limited accounts, review the npm package and Browser Bridge extension, and require explicit confirmation before any command that posts, sends, deletes, follows, writes, exports private data, or changes account state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill advertises itself as a website-data fetching tool, but the documented commands include many write, control, and account-affecting actions such as posting, deleting, messaging, following, and app UI manipulation. This mismatch can mislead users and orchestrators into invoking a much more privileged capability set than expected, increasing the chance of unintended destructive or privacy-impacting actions through logged-in sessions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill exposes broad desktop-app and browser-session control far beyond the stated purpose of fetching website data, including sending messages, switching models, reading chats, exporting conversations, and manipulating third-party apps. In the context of an agent skill, this expands the attack surface substantially and enables cross-application data access, exfiltration, impersonation, or destructive user-account actions if invoked by prompt injection or ambiguous requests.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger terms such as popular platform names can cause the skill to activate in situations where the user merely mentions a site, rather than explicitly requesting this tool. Because the skill includes authenticated and write-capable actions, accidental invocation is more dangerous than in a read-only utility and can lead to unintended browsing, data access, or account operations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger section lists many platform names without clarifying boundaries, making it easy for normal conversation about Twitter, Reddit, YouTube, or similar sites to route into this skill. Given the skill's ability to use logged-in sessions and perform actions, this ambiguity materially raises the risk of unintended activation and downstream account-impacting behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that the skill reuses Chrome login state but does not prominently warn users that commands may act with the full privileges of their authenticated sessions. This makes private-data access and account actions more dangerous because users may reasonably assume the tool is limited to public scraping rather than operating as them on already logged-in services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents destructive or account-affecting actions such as sending messages, posting content, deleting tweets, following/unfollowing, adding items to carts, and similar operations without strong warnings or confirmation guidance. In an agent setting, absence of friction around these operations increases the likelihood of accidental, prompt-induced, or socially engineered misuse with real-world consequences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal