ClawHub

Gwenchai

Security checks across malware telemetry and agentic risk

Overview

This package is advertised as one thing but contains several unrelated, powerful agent, memory, Discord, search, and transcription capabilities that are not clearly disclosed together.

Do not install this as a simple Playwright browser automation skill without manual review. Treat it as a mixed, high-authority bundle that may touch local agent configuration, Discord/Telegram integrations, external APIs, workspace files, git history, cron jobs, and long-term memory. Install only in an isolated environment after removing unrelated scripts and confirming exactly which credentials and files it can access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (86)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill exposes significant capabilities including network access, file read/write, shell execution, and environment interaction, but it declares no explicit permissions or trust boundaries. This weakens user understanding and reviewability, making it easier for a high-impact skill to be invoked without appropriate scrutiny or policy enforcement.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README content is for an unrelated ElevenLabs speech-to-text skill, while the metadata says this package is a Playwright MCP browser automation skill. This kind of identity mismatch is dangerous because it can mislead users and reviewers about what the skill actually does, hide the real functionality, and weaken trust and review controls around installation and use.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file is materially inconsistent with the declared skill purpose: instead of Playwright/browser automation guidance, it contains instructions for a cognitive memory and self-reflection system. In an agent skill, off-domain instructions can act as prompt-injection payloads that alter agent goals, behavior, and persistence rules, making the skill more dangerous because users and tooling expect browser automation, not identity/memory modification.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file is materially inconsistent with the declared Playwright browser-automation skill and instead contains instructions for a separate 'Cognitive Memory System' that alters persistent workspace files and agent behavior. That mismatch is a strong supply-chain red flag because users and reviewers may trust the manifest while hidden or unrelated instructions influence an agent to perform unexpected stateful actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This template is functionally a persistent memory and self-reflection system, not a browser-automation capability aligned to a Playwright MCP skill. The mismatch is dangerous because it can cause operators or downstream agents to grant the skill broad data-retention and self-modification behaviors under the misleading cover of a benign browser-automation description.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The template grants persistent writes, core-memory self-editing, git commits, audit logging, and identity/reflection file updates without justification for browser automation. In the context of a Playwright skill, these capabilities materially expand the attack surface from web interaction to local state persistence and repository mutation, enabling unauthorized retention of user data and unintended file changes.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file content is for a persistent memory-management skill, but the metadata claims it is a Playwright/browser automation skill. This capability mismatch is dangerous because it can hide unexpected data collection, storage, and retention behaviors from users and reviewers, defeating informed consent and trust boundaries. In an agent ecosystem, mislabeled skills can bypass scrutiny intended for sensitive memory features.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The document instructs the agent to perform broad memory management and workspace mutation behaviors that are unrelated to a Playwright browser-automation skill. This scope expansion is dangerous because it normalizes non-browser file access and persistent state changes, increasing the chance the skill can be used to alter local workspace state or influence agent behavior beyond its declared purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting access to SOUL.md, IDENTITY.md, USER.md, TOOLS.md, and configuration files exposes highly sensitive control-plane data that has nothing to do with browser automation. If honored by an agent, these instructions could enable prompt/persona tampering, leakage of sensitive user context, or unauthorized modification of core behavioral and configuration files.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Embedding git commits, rollback operations, blame queries, and shell-style audit workflows in a browser skill introduces repository and filesystem control far outside the skill's stated function. That creates a path for persistent unauthorized changes, historical inspection of sensitive data, and destructive rollback actions if an agent follows these instructions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The sub-agent instructions grant broad read access to all memory stores, including vault data, despite the skill being described as browser automation. This violates least privilege and could expose sensitive long-term memory or pinned secrets to components that only need webpage interaction.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The document defines a reflection workflow that reads broad memory sources, extracts patterns about the user, and updates long-lived memory/identity artifacts. For a browser automation skill, this is materially out of scope and creates unnecessary profiling and retention of personal information beyond what is needed to navigate websites or operate Playwright.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions direct the agent to archive reflections, rewards, logs, identity, and decay metadata across multiple files after approval. Persistent storage and rewriting of user-related memory artifacts is not necessary for browser automation and increases privacy, retention, and secondary-use risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The process captures post-reflection dialogue, user validations/corrections, and inferred insights into persistent files, extending behavioral profiling over time. This goes beyond the declared browser-automation purpose and creates a durable dossier of user interactions and inferred traits.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Although the document warns against inventing facts, it later encourages speculative content about the user's life, environment, relationships, and physical context. This mixed guidance increases the chance the agent will generate unsupported inferences and record them as if meaningful, amplifying profiling and hallucination risks.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This script performs privileged local provisioning actions far beyond the stated Playwright browser-automation purpose: it reads and patches gateway configuration, creates agent bindings, and can add persistent cron jobs. That scope mismatch is dangerous because a user invoking a seemingly browser-focused skill may unintentionally grant it authority to alter multi-agent routing, persistence, and execution behavior across the system.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest says this skill provides browser automation, but the file actually creates workspaces, writes agent identity/instruction files, and modifies gateway configuration. This deceptive or misleading packaging increases the chance an operator will run it under the wrong trust assumptions, enabling unintended local system changes and expansion of agent capabilities.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script's behavior is materially inconsistent with the declared Playwright/browser-automation purpose: it creates a persistent 'cognitive memory' subsystem, writes identity/soul/meta files, and enables local Git tracking. In an agent-skill context, scope mismatch is dangerous because users may grant or execute the skill expecting browser automation, while it silently establishes unrelated persistence and auditing capabilities in the workspace.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script provisions numerous persistent files under the target workspace, including memory stores, reflections, rewards, audit logs, and identity-related documents unrelated to browser automation. In this skill context, that broad write footprint increases the risk of unauthorized data retention, workspace pollution, and accidental storage of sensitive user/project information without a clear need or disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Initializing Git and committing all workspace contents can capture unrelated project files, secrets, or proprietary data into version history, creating a durable audit trail the user did not expect from a browser automation skill. Because Git history is harder to fully erase and may later be pushed or exposed, this materially increases the consequences of accidental data collection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script is materially out of scope for a Playwright MCP browser-automation skill: it performs Discord administration, reads local OpenClaw configuration, and updates local workspace content. Scope mismatch is dangerous because users may install or trust the skill for browser automation while it carries hidden privileged side effects against local files and external Discord resources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code loads a Discord bot token from a local config file and uses it to issue authenticated PATCH requests that rename Discord channels. In the context of a browser automation skill, this is an unjustified privileged action that could silently misuse locally stored credentials to modify external infrastructure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script recursively rewrites markdown files across a user-specified workspace, making in-place content changes based on simple string replacement rules. In a skill advertised for Playwright automation, arbitrary repository modification is unexpected and can corrupt documentation, alter prompts, or introduce unintended changes without adequate safeguards.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This script introduces unrelated third-party search capability and sends data to Tavily using an API key from the environment, which expands the skill's data exposure beyond its stated Playwright browser-automation purpose. In an agent setting, users may assume actions stay within browser automation, while queries, domain filters, and optional raw content are transmitted to an external service without clear consent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a standalone third-party web search client rather than Playwright MCP browser automation, creating a capability mismatch between the declared skill purpose and actual behavior. Such hidden or undocumented capabilities are dangerous in agent ecosystems because they can route user data to external providers and bypass user expectations or policy controls tied to the advertised functionality.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal