ClawHub

Browser Stagehand

Security checks across malware telemetry and agentic risk

Overview

This is a coherent browser automation skill, but it needs Review because it can use persistent or remote authenticated browser sessions, submit data, and write downloads with limited user control.

Install only after verifying the complete package source, package.json, lockfile, and publisher provenance. Use it only on sites where automation is authorized, confirm whether local Chrome or Browserbase is active, avoid real credentials unless necessary, use a dedicated browser profile, review pages before submitting forms or account changes, and regularly clear saved sessions, screenshots, and downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The examples document advertises automatic file download behavior and a specific local write path, which extends the apparent capability from browser interaction into filesystem side effects. This is dangerous because users or downstream agents may invoke the skill expecting only web interaction, while it can silently persist untrusted content to disk and increase malware, storage, or data-handling risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The note that the browser uses a persistent Chrome profile means cookies and authenticated session state may survive across runs, but this sensitive behavior is not disclosed in the manifest description. That creates a privacy and security risk because later tasks may inherit prior authentication context, enabling unintended access, cross-task data leakage, or actions performed under stale credentials.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The form-submission example shows entering personal contact data and clicking submit without any warning that information will be transmitted to an external site. This is risky because it normalizes sending PII off-platform and could cause accidental disclosure, spam generation, or unauthorized submissions if reused with real user data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The login example includes entering credentials and explicitly notes preserved browser profile state, yet provides no warning about credential handling, session persistence, or privacy exposure. In this skill context, authenticated browsing is especially sensitive because reused sessions can expose account data or permit unintended privileged actions on later runs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The download example states that files are automatically written to a local directory but does not warn users about the disk write, retention, or trust implications of downloaded content. This is dangerous because users may unknowingly store untrusted files locally, creating malware exposure, accidental execution risk, or sensitive data accumulation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference explicitly documents that downloads are automatically saved to disk with no file type restrictions and without a strong user-facing warning or consent boundary. In a browser automation skill with full network access and access to internal/local resources, this can cause unintended persistence of untrusted content, disk usage abuse, and downstream risk if later workflows open or trust downloaded files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to trigger on many generic browsing or web-interaction requests, which increases the chance the agent invokes this skill in contexts the user did not explicitly intend. Because the skill can drive a browser, fill forms, and extract website data, overbroad activation expands the attack surface for unintended web actions and data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill silently switches to a remote Browserbase environment whenever API keys are present, without warning the user that browsing activity, page contents, cookies, or submitted data may be processed by a third-party remote service. Automatic remote execution changes the trust boundary and can expose sensitive browsing sessions or extracted content without informed consent.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal