ClawHub

Web Pilot

Security checks across malware telemetry and agentic risk

Overview

Web Pilot appears to be a legitimate browser automation skill, but its download and persistent-browser controls are broad enough to need careful review before use.

Use this only if you are comfortable running a local browser automation tool. Prefer an isolated environment, avoid logged-in or sensitive sites unless you directly control each action, close browser sessions when finished, and avoid untrusted downloads until filename confinement and TLS verification behavior are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly enables outbound network access and local file writes (downloads, screenshots) but does not declare corresponding permissions or warn users about those capabilities. This undermines least-privilege and informed consent, making it easier for the skill to exfiltrate data, fetch untrusted content, or persist artifacts locally without adequate visibility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior understates the actual browser automation power, including arbitrary in-page JavaScript execution, form submission, proxy/user-agent overrides, and additional navigation and capture features. This mismatch is dangerous because operators may trust the skill for simple reading/searching while it can perform materially more invasive actions that affect remote sites, user privacy, and local data handling.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The `eval` action exposes arbitrary JavaScript execution in the context of whatever page is open, which materially exceeds a browsing/extraction skill and creates a powerful capability for DOM manipulation, credential harvesting from page content, unintended actions, and access to sensitive page state. Because this service listens on a local UNIX socket and accepts structured commands, any caller that can reach the socket can use the browser as a general-purpose automation/execution agent rather than a read-only web reader.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The `fill` action enables writing into page forms and optionally submitting them, introducing state-changing behavior not clearly disclosed by the skill description. This can be abused to perform searches, trigger workflows, submit data to websites, or interact with login/payment/recovery forms, moving the tool from passive browsing into active web automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents powerful browser automation capabilities that can click controls, fill and submit forms, execute JavaScript, and write files to disk, but it does not clearly warn that these actions may change remote state, submit data, or create local artifacts. In an agent-driven context, this increases the risk of unintended transactions, account changes, destructive page actions, or unsafe local file writes because an operator may assume the skill is primarily read-only web browsing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill supports downloading files and saving screenshots, which create local artifacts that may contain sensitive information or untrusted content, yet the description does not warn users about this persistence. In a browsing/downloading skill, silent writes to local storage increase the risk of accidental data retention, unsafe file handling, and confusion about where data is stored.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends web requests to external URLs and extracts page contents, but the description omits a privacy warning that user-supplied URLs, search terms, and fetched content are disclosed to third-party sites and search engines. Because this skill is specifically designed for web interaction, missing privacy disclosures materially increases the chance that users expose sensitive internal URLs, tokens, or research activity unintentionally.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code automatically clicks consent/accept controls, including broad patterns like 'accept all', without informing the user or distinguishing between rejecting tracking and accepting unnecessary data processing. This can silently opt users into tracking, alter privacy preferences, and create compliance and consent-integrity issues, especially because it also probes iframes where many CMPs are embedded.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
On TLS failure, the code silently retries the download with certificate verification disabled, which defeats HTTPS authenticity guarantees and enables man-in-the-middle interception or content tampering. In this skill, downloaded content is then saved to disk and may be further processed, so accepting untrusted content over an unauthenticated channel is materially dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script intentionally clicks consent-related UI elements automatically, including in iframes, without requiring explicit user confirmation or clearly signaling that consent choices may be made on the user's behalf. In a web-browsing skill, this can cause unintended acceptance of tracking, analytics, or legal terms and may change site state in a way the user did not authorize.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal