ClawHub

soushen

Security checks across malware telemetry and agentic risk

Overview

This web-search skill needs Review because its deep browsing mode can collect sensitive page data and weakens browser protections beyond what its stated purpose explains.

Install only after reviewing and narrowing the deep-browsing behavior. It should not be used on logged-in, internal, or sensitive sites unless cookie output, form-value capture, and unsafe browser flags are removed or explicitly gated by user consent, with clear domain scoping and privacy warnings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires network access and likely environment/system interaction to locate and launch a browser. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill is allowed to do, which increases the chance of unintended data access or unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is limited to Bing search and page-structure extraction, but the analyzed behavior reportedly also collects browser cookies and broad page content. Cookie extraction is especially sensitive because it can expose session identifiers or authentication state, and collecting more content than advertised violates user expectations and can enable covert data harvesting.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The README explicitly advertises “反检测 - 绕过反爬虫机制,” which goes beyond normal search and page-structure extraction and signals evasion of site protections. In an agent skill context, this increases the likelihood of abusive scraping, policy violations, and automated access to targets that are intentionally trying to restrict bots.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Advertising anti-detection measures such as disabling automation indicators and randomizing behavior is unrelated to ordinary search/page analysis and can be used to bypass site defenses or monitoring. In a web automation skill, these evasion features materially increase abuse potential and suggest operation against targets that may not permit automated access.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The deep-analysis output includes raw browser cookies for the visited page, which exceeds the stated purpose of extracting search results and page structure. Cookies can contain session identifiers or tracking data, so returning them in JSON creates a direct data-exfiltration channel from arbitrary sites the tool visits.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The page extractor captures full page text and form input `value` fields, not just structural metadata like links or headings. This can expose sensitive page contents and autofilled or prepopulated form data to downstream consumers, turning a browsing helper into a broad content and data harvesting tool.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Launching Chromium with `--disable-web-security` and disabled site isolation removes major browser protections that prevent cross-origin access and renderer separation. For a tool that visits arbitrary web pages, this unnecessarily expands the blast radius of malicious pages and can enable unsafe cross-origin data access patterns.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation promotes deep extraction of links, forms, buttons, scripts, and anti-detection behavior without any warning about privacy, consent, legal restrictions, or operational impact on target systems. For an autonomous or semi-autonomous agent, that omission can normalize indiscriminate collection and make misuse easier, especially against third-party sites with sensitive forms or tracking scripts.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation conditions are broad enough that the skill may trigger for many generic browsing or extraction requests, including situations where users did not intend live web access or deep scraping. Overbroad invocation increases the risk of unnecessary network activity, privacy exposure, and execution of a more powerful skill than required.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Deep page analysis can contact third-party sites, execute browser automation, and extract potentially sensitive page elements or content, yet the description provides no privacy or system-impact warning. Without disclosure, users may unknowingly expose internal URLs, authenticated content, or browsing metadata to the skill's extraction logic.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Deep mode performs network access to arbitrary URLs and returns sensitive artifacts such as cookies and page content without any user-facing disclosure or confirmation. That combination creates a transparency and consent problem, especially in an agent setting where users may not expect hidden browsing side effects or data capture breadth.

Ssd 3

High
Confidence
98% confidence
Finding
The tool serializes raw cookies, form values, and broad page text into JSON, making it easy for sensitive browser- and page-derived data to be ingested, logged, or forwarded by an LLM/agent pipeline. In the context of an agent skill designed for arbitrary web fetching, this materially increases the risk of secret leakage from authenticated or sensitive pages.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal