ClawHub

ClickMap

Security checks across malware telemetry and agentic risk

Overview

ClickMap matches its stated browser automation purpose, but its local bridge is unauthenticated by default and broadly reachable from browser pages, so users should review it before installing.

Review carefully before installing. Use it only for sites where saving selectors, labels, text snippets, URLs, and coordinates is acceptable. If you run the bridge, set a strong CLICKMAP_TOKEN, avoid exposing or autostarting it, and do not point the bridge URL at a remote service unless you intend to send your POI data there. Re-check saved POIs before actions that submit, post, purchase, delete, or log in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The skill is presented as a browser UI automation helper, but it also documents a local bridge server, persistent POI storage, import/export of JSON, and collection of detailed page element metadata. That broader behavior materially expands the attack surface and data sensitivity: saved selectors, labels, text, and screen coordinates can expose workflow details or sensitive page content, while a localhost bridge introduces an interface that other local processes or browser contexts may try to reach.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The background script posts all saved POIs to a configurable bridge URL, defaulting to a localhost HTTP service, which extends the extension's behavior beyond in-browser automation into external data transfer. Even if intended for local integration, this creates a real exfiltration path for stored interaction targets and associated metadata if the bridge URL is changed, the local service is untrusted, or localhost traffic is intercepted or misrouted.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest injects a content script into <all_urls>, which gives the extension code visibility and execution capability across essentially every site the user visits. For a tool whose stated purpose is saving named click points and syncing them to a local bridge, this is broader than necessary and increases the risk of accidental collection, manipulation, or leakage of sensitive page data from unrelated sites.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Always-on access to all URLs is overly broad for deterministic browser click automation and creates unnecessary exposure to sensitive content on banking, email, admin, and internal sites. Even if the current implementation is benign, the permission model enables powerful cross-site observation and interaction that would be attractive if the extension were modified or misused.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The options page can send saved POI data to an arbitrary configured bridge URL, including non-local destinations, which expands the extension from local UI automation into network data transfer. Even if user-initiated, this creates a real exfiltration path for browsing-related target metadata and can expose sensitive workflow information if the bridge URL is misconfigured, malicious, or changed by another component.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code stores a configurable bridge URL and authentication token in chrome.storage.local without showing a strong security justification tied to the extension's stated click/type automation purpose. This broadens the trust boundary and creates persistent sensitive configuration that could be abused for unauthorized syncing or redirected data transfer if the extension or local environment is compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The bridge accepts requests without authentication whenever CLICKMAP_TOKEN is unset, and the default configuration sets it to an empty string. Although the server binds to 127.0.0.1, any local process—and, combined with the permissive CORS policy, browser-delivered JavaScript from arbitrary websites—can read or overwrite the POI dataset, exposing saved targets and enabling tampering with automation behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server returns Access-Control-Allow-Origin: * for API responses and preflight handling, allowing any website visited in the user's browser to make cross-origin requests to the localhost service. In this skill's context, that means an unrelated web page can enumerate or replace saved click targets, which could leak internal workflow metadata or sabotage subsequent browser automation.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code transmits stored POI data and an optional token to an external endpoint, but this file shows no inline user confirmation, disclosure, or trust boundary enforcement around that transfer. In the context of a browser automation skill, saved click targets may reveal sensitive workflow details or page-specific coordinates, so silent or poorly explained sync can leak operational information to another process or service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The content script stores detailed page-derived data in extension local storage, including CSS/XPath selectors, element text snippets, ARIA labels, IDs, coordinates, and URL path context. Even though capture is user-triggered, this can retain sensitive page content from internal dashboards, forms, or other authenticated pages without a clear consent notice or data-minimization boundary, creating privacy and data-exposure risk if the extension is inspected, synced elsewhere, or combined with other extension components.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The manifest states that points-of-interest are synced to a local bridge but provides no user-facing disclosure here about what page-derived data may be transmitted from arbitrary websites. In the context of an extension that runs on all URLs, this creates a transparency and privacy problem because users may not understand that interactions or page context from sensitive sites could be sent to a localhost service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Injecting the content script on all URLs without scope constraints means the extension is active on far more pages than necessary, including sensitive and unrelated sites. In a Chrome automation skill, this broader attack surface is more dangerous because the extension is specifically designed to click, type, and interact with page content, so overbroad activation increases the chance of misuse or unintended actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
POI data is posted to the configured bridge with an optional token, but the code provides no explicit consent dialog or prominent notice at the point of transfer explaining that saved targets will leave the extension. In a browser automation context, those POIs may reveal internal app structure, workflow targets, or sensitive page associations, so silent transfer increases the risk of accidental disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The sync action posts the full stored POI dataset to a local bridge service without any explicit user-facing disclosure in this flow about what metadata is being transmitted. Because POIs are filtered/stored by page URL pattern and include names and viewport coordinates, syncing can expose browsing context and automation targets to another process, which is sensitive in the context of browser automation and internal dashboards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal