ClawHub

ko-browser

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate browser automation skill, but it gives agents broad website control and under-explains the risks of saved credentials, session files, and network logs.

Install only if you are comfortable giving an agent browser-control authority. Prefer a pinned upstream version, use dedicated low-privilege accounts and isolated browser profiles, avoid saving real passwords through command-line arguments, treat exported auth files and profiles as secrets, avoid network logging on sensitive sessions, and require explicit confirmation before submitting forms, changing account data, uploading files, posting content, or making purchases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation explicitly claims that `auth login` means the LLM never sees the password, but the preceding example uses `kbr auth save ... --username user --password pass`, which places credentials directly on the command line where they may be visible to the agent, shell history, process listings, logs, or transcript capture. In an agent skill, this misleading assurance is dangerous because it can encourage unsafe handling of real credentials under the false belief they are hidden.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger description is extremely broad, covering nearly any request involving websites, screenshots, scraping, login, or automation. In an agent environment, overly permissive routing can cause this powerful browser skill to activate unnecessarily, increasing the chance of unintended browsing, credential handling, state persistence, or execution of sensitive actions on third-party sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The authentication guidance recommends persistent profiles, exported state files, and an auth vault without warning that these artifacts may contain cookies, tokens, usernames, and passwords. In a browser automation skill, stored session state can grant account access long after initial use, so omission of handling and storage warnings materially increases the risk of credential leakage or session hijacking.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The network logging and related inspection features can capture full URLs, headers, cookies, tokens, query parameters, and other sensitive traffic, yet the documentation presents them without privacy or data-minimization warnings. In an agent setting, captured request logs may be surfaced back to the model or persisted in tool output, creating a realistic path for secret exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal