ClawHub

test safe agent-browser

Security checks across malware telemetry and agentic risk

Overview

The skill presents itself as a restricted safe browser, but its own docs expose broad authenticated browser automation, session persistence, script execution, local file access, proxy rotation, and uploads.

Install only if you intend to grant a broad browser automation capability, not merely a safe public-page reader. Use strict domain allowlists and action policies, avoid saved authenticated sessions unless necessary, treat cookies/state files/screenshots/PDFs/text captures as sensitive, and do not use proxy rotation or uploads against sites or files you are not authorized to automate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (37)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest and top-level description claim this is a restricted browser tool for navigation, screenshots, public-data extraction, and testing, but the body documents login flows, credential handling, session/state reuse, and access to authenticated content. That mismatch is dangerous because downstream agents or policy engines may grant the skill under a low-risk assumption while it actually enables higher-risk actions involving secrets and protected resources.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a restricted/public-data browser tool, yet it includes auth vault usage, login automation, and persistent authenticated session reuse. This expands the blast radius from passive browsing to active account access and secret-adjacent operations, which can lead to unintended access to private data or account actions.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The manifest says the skill must not run without safety boundaries, but the documentation later states all security features are opt-in and unrestricted behavior is the default. This contradiction can cause operators or agents to assume protections exist when they may actually be disabled, enabling prompt-injection exposure, unrestricted navigation, and unsafe actions on hostile pages.

Intent-Code Divergence

Critical
Confidence
98% confidence
Finding
Early guidance mandates safety mode before any command, but later sections explicitly say protections are optional and off by default. For an AI-facing browser skill, inconsistent security semantics are highly dangerous because they encourage unsafe deployment and increase the chance an agent interacts with adversarial web content without isolation.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Documenting arbitrary JavaScript execution via `eval` materially exceeds the stated scope of restricted safe browser automation. Even if evaluation occurs in page context, it can be used to extract sensitive DOM data, trigger complex page-side behaviors, or bypass safer high-level interaction patterns expected by policy reviewers.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Allowing `file://` access extends the skill from web navigation into local file access, which is outside the declared purpose and can expose sensitive host data. In an agent context, this broadens the trust boundary from remote content to the local machine, increasing risk of data disclosure or accidental processing of sensitive local documents.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is described as a restricted browser for public navigation, screenshots, and public-data extraction, yet this file explicitly documents login flows, OAuth, 2FA, session persistence, and authenticated browsing. That meaningfully expands the operational scope from 'safe browsing' into credential handling and access to non-public resources, increasing the risk of misuse, data exfiltration, and boundary bypass.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Saving and restoring authenticated browser state creates reusable session artifacts that can grant access without re-entering credentials or completing MFA again. In a skill marketed as restricted/safe browsing, documenting this capability enables persistence of privileged access and increases the blast radius if state files are copied, mishandled, or reused in unintended contexts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP Basic Auth and cookie-injection examples document direct use of raw credentials and session tokens, which are highly sensitive secrets. These capabilities are not justified by a tool limited to public-data browsing/testing and can be abused to impersonate users, bypass normal login flows, or access protected resources with injected session material.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The documented interaction set includes state-changing actions such as click, fill, type, upload, drag-and-drop, and checkbox/select manipulation, which materially exceeds a tool described as a restricted browser utility for navigation, screenshots, and public-data extraction. This mismatch can cause downstream agents or operators to over-trust the skill and use it in ways that submit forms, alter accounts, or trigger transactions on live sites.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
`agent-browser eval`, especially `-b` and `--stdin`, enables arbitrary JavaScript execution in the page context, directly contradicting the claim of a limited safe browser automation tool. Arbitrary script execution can extract sensitive DOM data, modify application state, bypass intended command restrictions, and interact with authenticated sessions in ways not visible from the higher-level command set.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Credential configuration, cookie access/modification, and localStorage access/manipulation expose and alter sensitive browser state far beyond a read-oriented public-data tool. In an authenticated session, these features can enable account takeover, session hijacking, secret disclosure, or persistence of privileged state across tasks.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Support for proxies, custom browser executables, and extensions increases the attack surface and allows behavior that is difficult to audit or constrain within a 'safe' browser model. These capabilities can reroute traffic, load untrusted code, weaken isolation assumptions, and undermine any guarantees implied by the skill description.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The reference frames the tool as a restricted or safe browser automation interface while the command set includes unrestricted execution, state mutation, interception, and persistence features. This is dangerous because safety claims influence operator trust; misleading safety framing can lead agents to invoke powerful features without the scrutiny normally applied to a high-privilege browser tool.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation explicitly frames proxy support as useful for rate-limit avoidance and geo-testing, which broadens a supposedly restricted/safe browser automation skill into capabilities commonly associated with stealthier automation and policy evasion. In the context of a 'safe' agent browser, normalizing these use cases increases the chance the skill is used for scraping abuse or bypassing operational safeguards.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The rotating-proxy example operationalizes rate-limit avoidance by showing users how to distribute requests across multiple proxies while scraping pages. That is a concrete abuse-enabling workflow, not merely neutral proxy configuration, and it undermines the skill's stated restricted/safe positioning by facilitating evasive collection at scale.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template explicitly includes an optional path to load authentication state and access protected pages, which expands the skill beyond its stated public-data capture purpose. Even though the code is commented out, it normalizes authenticated browsing and can lead operators to replay session tokens against private content, increasing the risk of unauthorized access and sensitive-data capture.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This template materially expands the skill from passive browsing and testing into active form interaction, submission, and potential data transmission. In the context of a supposedly restricted browser tool, enabling generic form automation can be used to submit data to third-party sites, trigger state-changing actions, or automate workflows outside the declared safety boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
File upload is especially dangerous because it can exfiltrate local files or transmit sensitive user data to remote services. That capability is not justified by the manifest's limited browsing/testing description, so its presence indicates a boundary violation with significant abuse potential.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documented purpose explicitly says the script fills and submits forms, which conflicts with the manifest's claim that the skill is restricted to navigation, screenshots, public-data extraction, and testing. This mismatch is dangerous because operators and downstream systems may trust the manifest while the implementation encourages more powerful, state-changing behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples encourage saving auth state and session data to local files without prominent warnings that these artifacts may contain cookies, tokens, or other bearer secrets. If such files are copied, committed, or left unprotected, they can enable session hijacking or unauthorized access without needing the original password.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The example saves authentication state immediately without an inline warning that the resulting file contains active session material. Even though later best-practices mention not committing state files, the omission at the point of creation increases the chance that users treat the file as ordinary output and expose reusable sessions.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The HTTP Basic Auth example demonstrates entering credentials directly without an immediate caution about secret handling, shell history exposure, logging, or least-privilege use. In practice this can lead to accidental leakage of usernames/passwords through transcripts, command history, screenshots, or automation logs.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The cookie-setting example normalizes manual injection of an auth cookie without warning that the value is equivalent to a live session token. This can mislead users into handling session material casually, enabling account takeover or unauthorized access if the token is exposed or reused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Commands that read or modify cookies and storage are documented without privacy, retention, or sensitivity warnings, despite directly exposing session tokens and user data. In a browser automation context, omission of these warnings increases the likelihood of accidental secret collection, disclosure, or unsafe persistence.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal