ClawHub

Browser Stagehand

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is not clearly malicious, but it needs review because it can browse, log in, submit forms, reuse sessions, download files, and switch to a remote browser without strong user controls.

Review before installing. Verify the missing npm package/source and publisher before running setup, use a disposable browser profile for sensitive sites, avoid entering real credentials unless necessary, clear .chrome-profile after login tasks, inspect files in ./agent/downloads before opening them, and disable Browserbase keys unless you explicitly want remote browsing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The note that the skill uses Chrome's persistent profile and may preserve session cookies between runs introduces cross-session state retention that is not disclosed in the skill metadata. This can expose authenticated sessions, leak prior-user context into later tasks, and cause actions to be taken under stale or unintended identities.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The login example instructs the agent to enter a username and password and then operate within an authenticated session without any warning about credential handling, session reuse, or sensitive-data exposure. In combination with the persistent profile note, this increases the risk that secrets or authenticated state are stored, reused, or exposed unintentionally.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The example states that files are automatically downloaded to a local directory but does not warn about local file writes, storage location, or the trust implications of downloaded content. This can surprise users, create unwanted artifacts on disk, and normalize downloading potentially unsafe files without explicit acknowledgement.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that downloads are automatically allowed and saved to a local directory with no prompt or file type restrictions. In a browser automation skill with full network access and natural-language page interaction, this can lead to unreviewed downloads of malicious or sensitive files, disk pollution, and accidental retrieval of content from untrusted sites or internal resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents automatic selection of a remote Browserbase environment whenever API keys are present, with no user-facing warning or confirmation. This can silently shift browsing activity, page contents, form inputs, and extracted data from a local environment to a third-party remote service, creating privacy, compliance, and data-handling risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal