ClawHub

Browser Auth

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it handles reusable login sessions and its command-line default can expose the browser-control server more broadly than the documentation claims.

Install only if you are comfortable delegating an authenticated web session to the agent. Set AUTH_HOST=127.0.0.1 unless using a trusted tunnel, keep the tokenized link private, run it in an isolated environment for sensitive accounts, and delete the generated session file immediately after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The code includes a security-assuring comment stating sandbox is always enabled, but the launch options shown do not explicitly establish Chromium sandboxing and may mislead operators into trusting a stronger isolation boundary than is actually guaranteed. In a skill that handles authentication sessions and visits remote pages with imported cookies, overstating sandbox protection increases risk if a malicious page is loaded or browser compromise occurs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code captures authenticated browser state (cookies and localStorage) and writes it to disk in plaintext. In the context of a tool explicitly designed to handle logins, 2FA, and session capture, that file can contain reusable session tokens that allow account takeover if the host is compromised, the file is mishandled, or another local process/user can read it.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The server continuously screenshots the live browser page and sends the images over a Socket.IO channel, exposing whatever is on screen, including passwords, 2FA prompts, personal data, and session-sensitive content. Although token-gated, the app listens on 0.0.0.0 by default in the CLI path and does not enforce transport encryption, so interception, token leakage, or unauthorized access could expose sensitive authentication data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads session cookies from disk and injects them into a browser context before navigating to a caller-supplied URL, which can expose authenticated session material to unintended destinations. In the context of a browser-auth skill designed to capture and reuse session data, this is particularly sensitive because it enables automated verification against arbitrary URLs and could be abused for session hijacking, account access, or exfiltration of authenticated state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal