ClawHub

Chrome CDP for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill is useful browser automation, but it needs review because it can set up system components from an unpinned remote script and control real logged-in Chrome sessions.

Install only if you are comfortable giving an agent control over a Chrome session that may already be logged into sensitive accounts. Review and pin the remote setup script before running it, prefer a separate Chrome profile or VM, close the CDP-enabled browser when done, avoid saving auth state unless encrypted and access-controlled, and require explicit confirmation before purchases, emails, uploads, cookie/state access, payment entry, or other account-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs the agent to execute remote shell code directly from the network via curl-to-bash, including privileged install, reinstall, and uninstall operations. This creates a direct remote code execution and supply-chain risk on the host that is not necessary for ordinary browser interaction, and a compromised upstream script or repository would immediately translate into full system compromise.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill states that startup kills any existing Chrome processes before launching a debug-enabled browser. That behavior exceeds normal website automation and can disrupt active user sessions, terminate unrelated work, and potentially cause loss of unsaved browser data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The authentication section documents exporting browser session state to files and storing credentials for automated reuse. In the context of an agent with access to already logged-in Chrome profiles, this materially increases the risk of credential theft, cookie exfiltration, persistent unauthorized access, and cross-service account compromise.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Arbitrary JavaScript evaluation in the browser context expands the skill from simple UI automation to unrestricted page-context code execution. That can be abused to read sensitive DOM content, extract tokens or page data, manipulate application state in unexpected ways, and bypass safer higher-level interaction primitives.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The command reference exposes capabilities far beyond ordinary browser navigation and form interaction, including arbitrary JavaScript execution, custom executable selection, and arbitrary extension loading. In an agent skill intended to operate within a user's existing authenticated browser context, these features materially expand the attack surface and enable code execution, browser tampering, or data access beyond the stated task scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
`agent-browser eval` allows arbitrary JavaScript execution in the page context, including via base64 or stdin, which can read sensitive DOM data, manipulate forms, exfiltrate tokens available to page scripts, or trigger privileged authenticated actions. Because this skill is designed to use existing login sessions, arbitrary page-context script execution is especially dangerous and not clearly justified by the stated browser automation purpose.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Allowing arbitrary browser extensions and custom browser executables lets a caller alter the browser's trust boundary, inject code, capture browsing data, or run an untrusted binary under the guise of browser automation. This capability is not necessary for ordinary interaction with websites and is particularly risky in a session tied to the user's existing authenticated state.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation guidance is very broad, covering general website interaction, data extraction, form filling, and use of existing login sessions without meaningful constraints. Overly broad activation criteria increase the chance the skill is invoked in sensitive contexts where it can access authenticated data or perform impactful actions beyond what the user intended.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill prominently advertises immediate access to existing Chrome login sessions for services like Gmail and GitHub without a corresponding privacy or consent warning. In this context, authenticated browser reuse is inherently sensitive because the agent can access personal data and act as the user across multiple services.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill includes system-modifying install, reinstall, and uninstall commands fetched and executed from the network, including sudo-requiring setup, without sufficiently prominent warnings about host impact. This exposes users to unexpected system changes, persistence, package installation, desktop environment changes, and supply-chain compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation notes that launching Chrome will kill existing Chrome processes, but the warning is not strong enough for the potential disruption. Users may lose active browsing state, downloads, unsaved form input, or other session context if the skill is invoked automatically.

Missing User Warnings

High
Confidence
97% confidence
Finding
The authentication guidance describes saving cookies/session state to local files and storing credentials in an auth vault without explicit secret-handling safeguards. That materially increases the risk of leaking reusable authentication artifacts to disk, logs, other tools, or future agent actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples encourage saving screenshots and PDFs to disk without warning that captured pages may contain personal data, session information, financial details, or other sensitive content. In an agent environment, silent persistence increases the chance of unintended retention, later disclosure, or collection by other tools and users on the same system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Commands for setting credentials, reading cookies, and accessing localStorage expose highly sensitive authentication material, yet the reference gives no caution about secret handling or the risk of session theft. Since the skill explicitly works with existing login sessions, these commands can directly reveal or manipulate tokens and authenticated state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The JavaScript evaluation section documents execution of arbitrary page-context code without warning that it can inspect page data, alter application behavior, and access any information available to the page runtime. In a browser automation skill connected to live authenticated sessions, this omission makes unsafe use more likely and conceals a high-risk capability behind ordinary documentation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation shows proxy credentials embedded directly in environment variable URLs, which can lead users to expose secrets through shell history, process listings, logs, screenshots, or copied config files. In a browser automation skill that may be used on shared systems or recorded agent sessions, this pattern increases the chance of credential leakage even if the example is only illustrative.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes concrete examples of filling a password field and a payment card number directly in browser automation commands, but it provides no warning about sensitive-data handling, consent, masking, storage, or redaction. In this skill's context, that omission is more dangerous because the tool is explicitly designed to operate within a user's existing logged-in Chrome session, increasing the likelihood that agents will handle real credentials and payment data rather than dummy examples.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages recording full browser automation sessions to video but does not warn that recordings may capture sensitive on-screen information such as authenticated sessions, personal data, tokens, or secrets displayed in the browser. In this skill's context, the browser is explicitly used with existing login sessions, which materially increases the chance that sensitive user data will be stored in reusable artifacts.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation includes a login-recording example that captures a full authentication workflow, including password entry, and saves it to disk without any caution about secrets exposure. Because this skill is designed to operate against websites using the user's existing logged-in Chrome session, such recordings can expose credentials, MFA prompts, account data, and other sensitive content to anyone with access to the artifact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal