ClawHub

HTML-to-Selenium 网页元素识别和selenium自动化

Security checks across malware telemetry and agentic risk

Overview

This is a real browser-automation skill that mostly does what it says, but it has broad activation and can use credentials to log in and save private page contents without enough guardrails.

Install only if you intend to automate pages you own or are authorized to test. Avoid configuring broad ROUTER_* credentials, review the target URL before enabling login, use low-privilege test accounts, and treat generated screenshots and HTML files as potentially containing private account data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill declares router credential environment variables in the manifest while later stating that credentials must not be hardcoded or handled outside user/upstream-agent provision. That inconsistency creates a realistic path for the agent runtime to supply sensitive credentials implicitly, enabling unintended login attempts against protected sites and possible credential misuse or exfiltration through generated automation flows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The example includes an automated login flow with hardcoded credentials embedded directly in documentation code. Even though the values may be illustrative, this normalizes insecure credential handling and may lead users or downstream generators to copy the pattern into real automation, exposing secrets or encouraging unauthorized authenticated actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match ordinary requests such as analyzing a page or helping operate a site, which can cause the skill to activate outside clearly intended contexts. Because this skill is autonomous and can use supplied credentials for automated login, accidental invocation could lead to unintended browsing, form interaction, or use of sensitive accounts.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger conditions are broad and include generic phrases like '帮我完成 xxx' and '帮我操作 xxx', which can overlap with ordinary user requests unrelated to browser automation. This can cause the skill to activate unexpectedly and steer the agent into webpage fetching, DOM analysis, or automation-generation behavior in contexts where the user did not clearly intend that capability.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The quick-reference trigger list repeats vague activation phrases without clear boundaries, so the skill may be invoked for broad conversational requests instead of only for explicit web-automation tasks. In this skill's context, accidental activation is more concerning because the workflow includes page fetching, optional login handling, and generation of actionable Selenium scripts for real sites.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match common requests such as page analysis, web automation, or 'help me operate xxx', which can cause the skill to activate in contexts the user did not clearly intend. Because the skill is autonomous and can use credentials from chat, CLI, or environment variables to perform automated logins, accidental activation could lead to unintended interaction with sensitive internal web interfaces or credential use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The top-level trigger conditions are broad enough to match ordinary requests such as 'help me operate xxx' or generic automation/page-analysis prompts. In an agent system, this can cause accidental activation on unrelated tasks, which is especially risky here because the skill can fetch URLs, inspect DOMs, and perform authenticated browser actions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The quick-reference activation list repeats broad, ambiguous phrases and lacks constraints such as requiring a URL, a declared automation goal, or explicit consent to browse. This increases the chance the skill is invoked in contexts where it should not run, expanding exposure to unintended navigation, content capture, and credential-dependent behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example includes automated entry of login credentials, including a hardcoded-looking password, without any warning about secrets handling, secure storage, or user consent. In an automation skill context, this can normalize unsafe credential practices and lead users or downstream agents to embed real secrets in code, logs, screenshots, or repositories.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script automatically pulls credentials from environment variables and uses them to submit login forms when --login is enabled, without a strong user-facing confirmation or domain allowlist. In a skill context that may be run against arbitrary URLs, this increases the risk of sending stored credentials to an unintended or malicious login page and of capturing authenticated content into local artifacts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The login example demonstrates entering credentials without any warning about secure handling of secrets. In skill/reference material, this can propagate unsafe practices such as embedding credentials in prompts, code, logs, or repositories, increasing the chance of credential leakage and misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script saves full-page screenshots and rendered HTML after visiting arbitrary URLs, including authenticated pages after login. That can capture session-specific sensitive data such as account details, tokens embedded in DOM, internal admin content, or PII, and then persist it to disk without any consent prompt, masking, or sensitivity warning.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal