ClawHub

Browserbase Persist with captcha

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Browserbase automation skill, but it needs review because it can control logged-in browser sessions, run page scripts, read cookies, and record activity by default.

Install only if you are comfortable giving the skill and your agent access to Browserbase sessions and the sites you automate. Use separate contexts per site, avoid get-cookies and execute-js unless explicitly needed, disable recording/logging and CAPTCHA solving for sensitive workflows, terminate sessions promptly, delete contexts when finished, and consider pinning dependencies in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The get-cookies command returns raw browser cookies from potentially authenticated persistent sessions. In this skill's context, those cookies may represent live account sessions for third-party services, so exposing them as plaintext output creates a direct session-token exfiltration path beyond ordinary session management.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The execute-js command evaluates arbitrary JavaScript inside the active browser page, including authenticated contexts. This allows reading DOM data, local/session storage, CSRF tokens, and performing arbitrary in-session actions on behalf of the user, which materially expands the skill from session management into unrestricted browser-side code execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that every session is recorded by default and encourages later download and sharing, but it does not warn that recordings may capture passwords, MFA prompts, personal data, internal dashboards, or other sensitive on-screen content. In a browser automation skill that targets authenticated sessions, this increases the risk of unintended collection and disclosure of sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes persistent authentication by saving and restoring cookies, local storage, and session storage, but it does not clearly warn that this retains bearer material that can grant continued access to user accounts. In the context of a cloud browser/session-management skill, persistent auth materially raises the risk of account takeover or unauthorized reuse if contexts are mishandled, shared, or insufficiently protected.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README advertises automatic CAPTCHA solving by default without cautioning that use may violate target-site terms, bypass anti-abuse controls, or require explicit authorization. While not inherently malicious, defaulting to this behavior in a general-purpose automation skill lowers friction for potentially improper use and can create legal, policy, or abuse risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Enabling session recording and authentication persistence by default means the skill may capture and retain sensitive information such as login flows, cookies, authenticated content, and account activity without a strong warning or explicit opt-in. In a browser automation context, that materially raises privacy and security risk because persisted state and recordings can be reused, shared, or mishandled after the session ends.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Automatic CAPTCHA solving is a high-risk automation feature because it can facilitate access to protected or rate-limited workflows without surfacing authorization or policy concerns to the user. In this skill, it is presented as a default convenience feature, which makes misuse easier in contexts such as scraping authenticated pages or automating login flows on third-party sites.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference documents session logs, recordings, downloads, persistent contexts, and reconnectable sessions, but does not warn that these artifacts may contain cookies, auth tokens, page contents, downloaded sensitive files, or other user data. In a skill explicitly designed for authenticated persistent browser sessions, omission of handling and disclosure guidance materially increases the chance of credential leakage, unintended retention, and unsafe reuse of long-lived authenticated state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Cookie retrieval exposes sensitive authentication material without any warning, confirmation, or minimization. Because this skill is specifically designed to maintain logged-in browser sessions, the absence of guardrails makes accidental or intentional theft of authenticated state much more dangerous.

Unpinned Dependencies

Low
Category
Supply Chain
Content
browserbase>=1.0.0
playwright>=1.40.0
Confidence
94% confidence
Finding
browserbase>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
browserbase>=1.0.0
playwright>=1.40.0
Confidence
94% confidence
Finding
playwright>=1.40.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal