ClawHub

RealBrowser by Ceki

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed real-browser automation skill, but it needs review because it can rent and drive live browser sessions, handle session profiles, and one example pre-approves high-impact actions without per-action user approval.

Review before installing. Use Self mode for anything sensitive, remove or narrow alwaysAllow entries, require confirmation before renting/clicking/typing, avoid CAPTCHA or third-party-site automation unless explicitly authorized, and treat exported profiles as sensitive cookie/session files. No VirusTotal telemetry was supplied and the static scan was clean, so this review is based on artifact behavior and documentation consistency rather than malware evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The changelog presents a safer, authorized-use framing, but it simultaneously confirms that powerful capabilities like marketplace session renting, profile export/import of cookies and storage, and CAPTCHA-related flows remain available. This mismatch can mislead reviewers and users about the actual abuse surface, increasing the risk that the skill is adopted under a false sense of safety while still enabling session sharing, credential/cookie portability, and anti-bot-adjacent workflows.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The file claims anti-bot-leaning material was removed and the skill was repositioned for authorized use, yet also states that CLI behavior is unchanged and prior functionality such as CAPTCHA request flows still exists in the command set. This inconsistency suggests risk-signaling has been reduced without a corresponding reduction in technical capability, which can conceal the true operational risk and facilitate misuse on third-party sites.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The example configuration pre-approves a broad set of browser-driving actions via "alwaysAllow", including navigation, clicking, typing, and renting a real browser session, without any per-action approval or scope restriction. In an agent setting, this reduces human oversight and can enable unintended interaction with sensitive sites, form submission, or data collection if the agent is prompted maliciously or behaves unexpectedly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal