ClawHub

Browser Local Chrome

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be for browser automation, but it explicitly promotes bypassing SSRF/private-network protections and enabling powerful local Chrome control, so it needs careful review before installation.

Install only if you understand and need local browser automation with CDP. Keep it on a trusted machine, use a disposable Chrome profile, keep the debug port bound to localhost, disable private-network access unless explicitly required, and prefer narrow host allowlists over broad SSRF bypass behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented configuration explicitly sets `ssrfPolicy.dangerouslyAllowPrivateNetwork` to `true`, which permits browser-driven access to private-network resources from visited content or automated browsing flows. In a browser automation skill, this weakens SSRF protections and can enable probing or accessing internal services on localhost or RFC1918 networks, especially because the guide presents it as normal configuration without justification or compensating controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The README explicitly lists “绕过 SSRF 限制” (bypass SSRF restrictions) as a use case, which directly frames the skill as a mechanism to circumvent network access safeguards rather than perform ordinary browser automation. In the context of a local Chrome debugging skill, advertising SSRF bypass materially increases the likelihood the skill will be used to reach internal-only services or private resources through the browser process.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The README states that the skill enables `dangerouslyAllowPrivateNetwork: true`, granting browser access to private network addresses. This is a powerful capability that can expose internal services, cloud metadata endpoints, and other non-public resources, and it is especially concerning here because the same document also promotes bypassing SSRF restrictions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to run forceful process-termination commands such as `taskkill /F` and `kill -9` without warning that they can abruptly terminate unrelated processes if the wrong PID is selected. In this skill’s context the commands are meant for troubleshooting a Chrome/CDP port conflict, but the lack of safety guidance still creates avoidable operational risk and possible data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation recommends forcefully terminating a process with taskkill /F and kill -9, but it does not warn that abrupt termination can corrupt the Chrome profile, lose session data, or interrupt active automation unexpectedly. In the context of a browser-debug skill that uses a dedicated user data directory, this is operationally risky and may cause avoidable data loss or unstable browser state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The configuration example sets dangerouslyAllowPrivateNetwork to true without any warning, which weakens network isolation and can expose private-network resources to browser-driven access patterns. In a skill explicitly designed to run a Chrome instance with remote debugging enabled, this materially increases the attack surface because local browser automation may be leveraged to reach internal services or sensitive endpoints.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly advertises enabling an SSRF whitelist configuration that 'allows access to arbitrary websites' and later recommends `dangerouslyAllowPrivateNetwork: true`, which can permit access to internal or private-network resources through the browser automation pathway. In the context of an automation gateway, this materially expands network reach and can expose localhost, cloud metadata, intranet services, or authenticated browser contexts without presenting a clear warning about the security implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script launches Chrome with the DevTools remote debugging port enabled, which exposes powerful browser control capabilities to any process or user that can reach that port. Although it prints the localhost URL afterward and uses a separate user-data-dir, it does not clearly warn users about the security implications of enabling CDP access or explicitly verify safe binding/access assumptions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal