ClawHub

Web Autopilot

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate automation purpose, but it records and reuses logged-in web sessions with weak safeguards that need review before installation.

Install only if you trust the publisher and are comfortable recording logged-in apps. Prefer test or least-privilege accounts, avoid regulated or highly sensitive workflows, review generated run.ts files before registering them as tools, require dry-run and explicit confirmation for submissions, and regularly delete old recordings, sessions, and credentials under ~/.openclaw/rpa.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation claims passwords are never stored in plaintext, but the example `credentials.ts save <domain> <user> <pass>` exposes the password on the shell command line. Command-line arguments are commonly recoverable from shell history, process listings, terminal logs, audit logs, and agent transcripts, so this defeats the stated protection even if the final file is encrypted at rest.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The recorder explicitly collects final cookies, localStorage, and sessionStorage, then persists them to recording.json and exposes cookie values again in summary.txt. These artifacts commonly contain session tokens, CSRF tokens, refresh tokens, and other secrets that enable account takeover or replay outside the narrow need of recording UI steps.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code captures request headers, POST bodies, response headers, and response bodies for nearly all non-skipped traffic across all tabs, then stores them on disk. This can include Authorization headers, API keys, personal data, uploaded form contents, and sensitive business records, creating a broad exfiltration and retention channel far beyond minimal automation metadata.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The runner executes a task-local TypeScript file using `child_process.execSync` and `ts-node`, which means any code placed in `run.ts` is executed with the full privileges of the current user. In this skill's context, tasks are generated artifacts under a user-writable directory and are framed as reusable web automations, so this expands the trust boundary from browser automation into arbitrary local code execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The HTTP client sets rejectUnauthorized: false for every HTTPS request, which disables TLS certificate validation and makes man-in-the-middle interception trivial on untrusted networks or through malicious proxies. In this skill, the risk is amplified because the same client automatically carries authenticated session cookies and persistent headers, so intercepted traffic can expose credentials, tokens, and sensitive workflow data across arbitrary web apps.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README encourages registering generated automations as tools and invokes them through a broad natural-language phrase like "submit my expense report." In an agentic environment, overly generic trigger language can cause accidental or ambiguous tool execution for high-impact actions such as submitting forms or payment-related workflows, especially because this skill is explicitly designed to act on logged-in enterprise applications.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation scope is extremely broad, covering automation for almost any logged-in web app, data extraction, and submissions across many request types. Broad trigger language can cause over-invocation in situations involving sensitive enterprise systems, leading the agent to capture authenticated traffic, process session material, or automate high-impact actions without sufficiently specific user intent. Because this skill can touch credentials and perform submissions, overly broad routing criteria are more dangerous here than in a low-risk utility skill.

Missing User Warnings

High
Confidence
93% confidence
Finding
The tool description says it records all user interactions and network traffic through any web app, but the implementation proceeds to capture highly sensitive browser and network data without any meaningful warning, consent checkpoint, or scope restriction. In a recorder intended for logged-in enterprise apps and SSO flows, that omission materially increases the chance users will unknowingly capture secrets and regulated data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code silently writes captured cookies and browser storage to disk and even includes cookie values in summary output, without disclosure or confirmation. Because this skill is designed to automate logged-in web apps, these persisted artifacts are especially likely to contain reusable credentials and confidential tenant data.

Missing User Warnings

High
Confidence
96% confidence
Finding
The recorder captures and saves headers, POST data, and response content with no clear runtime notice that credentials, personal data, or proprietary records may be included. In the context of SSO-enabled business-app automation, this omission is dangerous because routine use will often traverse authentication flows and sensitive APIs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool immediately launches the selected task code without any user-facing warning that this will execute local code from `~/.openclaw/rpa/tasks`. Because the skill is marketed as no-code web automation for logged-in apps, users may reasonably expect a bounded browser action rather than unrestricted host execution, increasing the risk of accidental execution of a malicious or tampered task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code automatically parses recorded HTTP requests, extracts usernames and passwords, and persists them to disk without an explicit consent or confirmation step at the moment the secret is discovered. In a web automation skill that records logged-in sessions across arbitrary web apps, recordings can easily contain real production credentials, so silent extraction materially increases the risk of unintended credential retention, surprise collection of secrets, and later disclosure if the host or storage is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code explicitly captures cookies from the browser context, extracts access tokens from app URLs, and persists the resulting authenticated session for later reuse. In a web automation skill that operates on logged-in enterprise apps, persisted authentication material can be reused to impersonate the user if the session store is exposed, making this more than a mere missing warning issue.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The session manager persists cookies, headers, and session fields to a JSON file on disk, which can include authentication material and other secrets. In a tool designed to automate logged-in web apps, this creates meaningful exposure if the local machine, home directory, backups, or other local processes are compromised, especially since there is no encryption, permission hardening, or clear user disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal