ClawHub

Safari Browser Control

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill openly helps an agent control Safari on macOS and includes guardrails for live browser sessions, but users should approve sensitive actions carefully.

Install this only if you want an agent to work with Safari on your Mac. Use isolated WebDriver mode when possible, approve live-session clicks, typing, screenshots, and tab switching explicitly, and periodically review or delete ~/safari/ if you do not want retained Safari automation notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to operate inside the user's live Safari session, including tab switching, navigation, clicking, and typing, but it does not require an explicit user-facing confirmation before modifying browser state or page content. In a real browser context, these actions can trigger purchases, submissions, navigation away from unsaved work, or interaction with sensitive authenticated sessions, so the omission is a genuine safety flaw even if the examples are framed as normal automation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Although the skill says not to use blind keystrokes until app, tab, and input focus are confirmed, it still presents System Events keystroke automation without a strong user-facing warning that focus can change between verification and execution. In practice, keystrokes sent at the OS level may land in the wrong application, wrong field, or a privileged dialog, causing unintended data entry, command execution, or disclosure of sensitive text.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation guidance is broad enough that the skill may engage on loosely related mentions of Safari control, automation, tab inspection, or screenshots before the user has clearly opted into browser manipulation. In a browser-control skill, premature activation is risky because it can expand the agent’s operational scope to a privacy-sensitive surface involving live tabs, cookies, and authenticated sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file instructs the agent to keep the conversation natural and defer explanation of storage unless asked, while also defining persistence of permissions, sessions, snippets, and incident notes under ~/safari/. That creates a meaningful privacy risk because sensitive browser-related state may be retained without clear, upfront, informed consent from the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal