ClawHub

Browser Use 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only integration for a stated cloud browser service, with sensitive browser-profile behavior that is disclosed and purpose-aligned but needs careful use.

Install only if you trust Browser Use with the browser sessions you create. Prefer fresh or dedicated low-privilege profiles, avoid syncing broad local Chrome cookies or sensitive accounts, do not send secrets or regulated data in task prompts, and stop sessions or delete profiles when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
75% confidence
Finding
The skill advertises additional API surface area for Files, Skills, and Skills Marketplace beyond its declared purpose of browser sessions and autonomous browser tasks. Expanding documented capabilities without clear scope or guardrails increases the chance an agent will invoke unrelated high-privilege features, creating unnecessary attack surface and scope creep.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The profile feature explicitly persists cookies and login state, yet the skill does not warn users that long-lived authenticated browser profiles can retain sensitive session tokens and account access. In an agent context, this increases the risk of unintended reuse, cross-task data exposure, or account takeover if profiles are shared, mis-scoped, or compromised.

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
-H "X-Browser-Use-API-Key: $API_KEY"
```

**Tip:** You can also sync cookies from your local Chrome using the Browser Use Chrome extension.

---
Confidence
94% confidence
Finding
cookies from your local Chrome using the Browser Use Chrome

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal