ClawHub

OpenWeb

Security checks across malware telemetry and agentic risk

Overview

OpenWeb is a coherent website-automation skill, but it needs review because it can reuse browser sessions and tokens to act on many real accounts.

Install only if you are comfortable letting OpenWeb use browser-authenticated sessions for many websites. Keep write/delete prompts enabled, avoid transact actions, use test or low-risk accounts for author-mode capture, and treat capture bundles, cookies, tokens, HARs, and ~/.openweb data as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is extremely broad and authorizes interaction with many real websites, including posting, commenting, messaging, and other side-effecting actions. That broad framing can cause an agent to invoke this skill for generic web-related requests without clear guardrails, increasing the chance of unintended writes, privacy-impacting actions, or misuse on third-party services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance explicitly tells operators to perform real write actions such as like/follow mutations on live sites in order to surface CSRF tokens in traffic captures. In the context of a skill that can interact with real third-party accounts and services, this encourages state-changing operations against production accounts without strong safety guardrails, increasing the risk of unintended account actions, policy violations, or accidental abuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This documentation explicitly instructs curators to extract authentication tokens from browser storage on another domain using an absolute `app_path`, which is sensitive credential material. In the context of an agent skill that can interact with real websites, normalizing token harvesting without an explicit user-consent boundary, scope restriction, or warning increases the risk of over-collection, cross-origin credential access, and misuse in unintended operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file instructs users to test write operations against live services, including examples like liking a post, but it does not prominently warn that these actions can modify real accounts, trigger notifications, or affect third parties. In the context of an automation skill that can interact with many real websites using browser-session auth, this increases the risk of unintended live-state changes during verification or curation.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to write probe results into DOC.md, which is a repository modification. In an agent context, changing files without an explicit user-facing confirmation or clear consent boundary can lead to unintended workspace edits, especially when the skill is designed to operate across many sites and workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section documents one-way, data-affecting actions such as sendMessage, uploadFile, and deleteFile without any adjacent warning, confirmation requirement, or explicit safety constraint. In a skill designed to interact with real websites and user accounts, normalizing destructive or irreversible operations in guidance can lead downstream agents to execute high-impact actions without adequate user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI documentation states that browser auto-start copies sensitive Chrome profile artifacts including cookies, local storage, session storage, and web data into a temporary profile automatically when operations require browser access. Even if intended to preserve authenticated sessions locally, this is privacy- and security-sensitive behavior because it expands access to authentication material without an explicit just-in-time warning or consent boundary, increasing the risk of account/session misuse if the tool, temp directory, or local environment is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The capture command is documented as recording browser traffic via CDP but does not clearly warn that captured traffic may include session cookies, authorization headers, personal data, and other sensitive request/response contents. In a tool designed to interact with many real websites, this omission can lead users or agents to collect and persist sensitive material unintentionally, creating disclosure and misuse risk.

Ssd 3

High
Confidence
95% confidence
Finding
This section explicitly teaches extracting auth-related material such as API URLs, auth tokens, or persisted query hashes from a live site's bundled code and using them to access internal functionality. In the context of an automation skill designed to interact with third-party sites, this materially lowers the barrier to replaying authenticated requests and bypassing intended client-side protections.

Ssd 4

High
Confidence
99% confidence
Finding
The appendix gives operational instructions for harvesting per-page nonce values, setting verified-fetch headers, scraping authenticity tokens, and iterating combinations until privileged mutations succeed. That is dangerous because it is effectively a playbook for defeating CSRF-style request validation on authenticated sessions against real third-party sites.

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
## Profile-Snapshot Coverage (`copyProfileSelective`)

`browser start` snapshots the user's Chrome profile into `mkdtemp` so it can launch a clean instance with the same auth state. Earlier the snapshot used a tight allowlist (`Cookies`, `Web Data`, `Preferences`, `Local/Session Storage`, `IndexedDB`). That missed several files Chrome consults during sign-in propagation:

- `Account Web Data` — GAIA account metadata for signed-in profiles.
- `Sync Data/` — account sync state; Chrome can mark the profile as signed-out without it.
Confidence
97% confidence
Finding
Cookies`, `Web Data`, `Preferences`, `Local/Session Storage`, `IndexedDB`). That missed several files Chrome

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal