ClawHub

Browser Ops Publish

Security checks across malware telemetry and agentic risk

Overview

This web automation skill is functional, but it can reuse and store browser login sessions, bypass anti-bot protections, and includes unsafe helper-script input handling.

Review before installing. Use only for sites and accounts you are authorized to access, require explicit confirmation before any browser-cookie or internal-site access, avoid anti-bot/proxy guidance unless you have permission, and do not run the helper scripts with untrusted URLs, queries, or limits until the injection issues are fixed. Protect or delete any exported cookie files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The trigger evaluation explicitly marks bulk and high-volume scraping requests as in-scope, including requests to check 100 stocks, batch-download 50 pages, and scrape many pages quickly. This contradicts the skill description, which says high-concurrency crawling over 10 pages per minute is not applicable, and can cause the router to invoke the skill for misuse-prone automation tasks the author claimed to exclude.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes direct reuse of browser cookies and login state to access authenticated content, including internal pages, without any guardrails about authorization, data minimization, or consent. In an agent skill, this is dangerous because it can cause the agent to access and exfiltrate sensitive account-scoped or internal data simply because the browser session is already authenticated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example command shows reading an internal site through Chrome session reuse with 'Cookie 零配置' and no warning that this may expose private enterprise resources or authenticated user data. In this skill context, the risk is elevated because the whole purpose is routing an agent toward web access methods, making accidental access to sensitive internal systems materially more likely.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger set is extremely broad and overlaps with ordinary requests such as '帮我看', '打开链接', 'visit site', and generic web-related terms. In an agent environment this can cause unintended activation of a high-capability skill, leading to unsolicited browsing, command execution, cookie use, or external requests in contexts where a simpler or safer skill should have handled the task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs automatic escalation to `opencli web read` using Chrome cookies for internal or authenticated sites, without prior warning or consent. This is dangerous because it may access user-specific or corporate-internal data under existing browser sessions and expose account-context information to the agent or downstream tools unexpectedly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Automatically upgrading from unauthenticated fetches to cookie-backed authenticated access without notifying the user removes an important trust boundary. An attacker could exploit benign-looking prompts or redirects to cause the agent to retrieve privileged content from accounts or internal systems that the user did not intend to expose.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The evals use broad, everyday prompts such as searching, opening URLs, and reading pages without strong boundaries tying activation to clearly scoped browser-operation tasks. This increases the chance of over-triggering the skill on ordinary user requests and routing users into web access or automation flows unnecessarily, which can expand attack surface and cause unintended data access or tool use.

Vague Triggers

Medium
Confidence
98% confidence
Finding
This eval explicitly normalizes anti-bot evasion by directing the agent to use tools to get around Cloudflare protections and, if needed, recommend residential proxies. That behavior materially increases misuse risk because it encourages bypass of access controls rather than limiting the agent to authorized, compliant access paths.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The examples cover a very broad range of generic web requests such as opening URLs, downloading webpage assets, reading sites, social-media lookups, screenshots, login-state access, and anti-bot scenarios, with little precision around authorization, rate limits, or sensitive environments. In a routing skill, overbroad trigger examples can cause unintended activation on risky requests, including internal-site access, cookie-backed browsing, or scraping scenarios that deserve stricter gating.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This file gives operational guidance for bypassing anti-bot controls, persisting cookies, using proxy pools, and rotating residential proxies, but it provides no guardrails about authorization, terms-of-service, privacy, or legal restrictions. In the context of a browser-ops skill that routes agents to web access tooling, this materially increases the chance the agent will assist with unauthorized scraping, access-control evasion, or collection from protected/internal sites.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs use of browser-originated requests that automatically carry the user's existing cookies, including for an internal site, without any warning, consent requirement, scope limitation, or handling guidance for sensitive/account-scoped data. In this skill's context, that is more dangerous because the skill is specifically designed to route an agent's web access and mentions internal websites, SSO, login state, and anti-bot scenarios, which increases the likelihood of accessing privileged content or exfiltrating private data through authenticated sessions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The routing guide explicitly recommends browser automation actions such as clicking, form filling, screenshots, and autonomous multi-step execution, but it does not require user confirmation, scope limitation, or warnings about side effects on real websites and logged-in accounts. In this skill's context, that is more dangerous because the broader skill metadata also emphasizes cookies, login state, SSO, internal sites, and anti-bot handling, increasing the chance that automated actions affect sensitive sessions or perform unintended state-changing operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to export browser cookies and login state into a local file (`unified-state.json`) but does not warn that these artifacts may contain session tokens, SSO credentials, or other bearer secrets. In the context of a browser-operations skill that explicitly handles authenticated browsing, this omission increases the chance that operators store, copy, or expose highly sensitive state insecurely, enabling account takeover if the file is accessed by another process or user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists browser session cookies to ~/.browser-ops/cookie-store/unified-state.json, which can contain active authentication tokens for internal sites, SSO, and other logged-in services. Although it later applies chmod 600 in one path, the storage is long-lived and the user is not clearly warned before sensitive session material is written to disk, increasing the chance of accidental retention, backup exposure, or local compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The inject-py flow silently reuses stored cookies to access a user-supplied URL, which can perform authenticated requests with the user's existing session. In the context of a browser-ops skill explicitly designed for login-state, SSO, internal websites, and anti-bot scenarios, this is sensitive behavior and should require a clear warning and tighter validation to avoid unintended authenticated access or session misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically falls back from local/browser-attached reading to external services such as Firecrawl without notifying the user that the target URL and potentially page-derived content will be sent to a third party. In this skill's context, URLs may include internal, authenticated, or sensitive targets (the metadata explicitly mentions Cookie, SSO, internal websites, and anti-bot scenarios), so silent escalation to a remote scraping API can leak confidential destinations or content outside the local trust boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends the user-provided search query to third-party services (Tavily, Google via opencli, and potentially Google through agent-browser) without any explicit notice, consent check, or data-sensitivity guard. In this skill’s context, queries may contain internal URLs, incident details, credentials-adjacent identifiers, or other sensitive investigation data, so silent exfiltration to external providers creates a real privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script builds a shell command string containing user-controlled input (`LIMIT`) and executes it with `eval`, which enables command injection. An attacker can supply shell metacharacters in the second argument to execute arbitrary commands on the host running the skill, making this substantially more dangerous in an agent automation context where inputs may come from prompts or tool-routing decisions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation tests include very broad prompts such as opening, reading, visiting, or downloading URLs without explicit boundaries on allowed targets, data classes, or user authorization. In a browser-routing skill, this can cause over-triggering on sensitive requests and normalize access to arbitrary web resources, including internal or authenticated pages, without requiring safety checks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The suite explicitly tests opening internal websites and taking screenshots but provides no warning, consent requirement, or handling guidance for sensitive information that may appear on those pages. In this skill context, screenshots of internal systems can expose credentials, customer data, dashboards, or other confidential content, making the omission materially risky.

Ssd 2

High
Confidence
99% confidence
Finding
The eval instructs the agent to evade anti-bot protections using specialized tooling and to suggest residential proxies if blocked. In the context of a browser-operations skill, this is especially dangerous because it operationalizes access-control circumvention and could directly enable scraping, account abuse, or unauthorized access attempts against protected services.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal