ClawHub

Fast Browser Use 1.0.5

Security checks across malware telemetry and agentic risk

Overview

This is a real browser automation skill, but it promotes bot-detection bypass and session reuse while exposing powerful browser, cookie, page-capture, and file-write capabilities without clear safeguards.

Install only if you need powerful browser automation and can run it in an isolated Chrome profile on authorized sites. Treat saved session files, cookies, screenshots, snapshots, local storage, and tab URLs as sensitive secrets. Avoid using the bot-evasion and protected-site scraping recipes, and review the CLI sandbox-disabled behavior before using it with logged-in accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code saves full browser cookies to a local JSON file without protection, creating a reusable authentication artifact that can be stolen by other local users, malware, or accidental exposure through backups and source control. Because these cookies may represent active logged-in sessions, compromise can enable account takeover without needing credentials or MFA.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The recipes and descriptions present broad site mapping, harvesting, and analysis workflows that can be applied to many third-party sites without clear user authorization, domain restrictions, or purpose limitations. That makes it easy for an agent to use the skill for mass scraping or reconnaissance beyond the intended scope.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly normalizes saving a logged-in session and reusing it later, even labeling it a 'Cookie Heist' and 'steal the session.' Session artifacts, cookies, and storage tokens can grant direct authenticated access and are highly sensitive credentials equivalent to account access in many environments.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents scraping, DOM capture, screenshotting, and protected-site interaction without any warning about privacy, terms-of-service, consent, or legal authorization. In practice, these features can collect personal, proprietary, or sensitive page content from sites the operator is not authorized to inspect or archive.

Natural-Language Policy Violations

Critical
Confidence
99% confidence
Finding
The skill content directly encourages bypassing bot detection and stealing or reusing sessions, which goes beyond neutral automation and into explicit abuse patterns. In the context of a browser automation skill with cookie, storage, and navigation support, these instructions materially enable unauthorized access, account misuse, and evasion of platform defenses.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code exposes direct read and write access to browser cookies, which are sensitive session credentials that can enable account hijacking and impersonation. In an agent skill context, unrestricted cookie access is more dangerous because tools may be invoked on behalf of a user and can silently extract or modify authenticated session state across sites.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code explicitly reads live values from INPUT and TEXTAREA elements and inserts them into the serialized ARIA snapshot. That can capture sensitive user data such as search terms, personal information, or secrets typed into forms, and the surrounding skill context suggests this data is meant for AI/browser-agent consumption, increasing the chance of unnecessary exfiltration beyond the page boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool writes attacker-controlled image bytes to an arbitrary filesystem path supplied in `params.path` with no validation, restriction to a safe directory, or overwrite protections. In an agent setting, an untrusted prompt or webpage-driven workflow could cause the agent to create or overwrite files anywhere the process has access, leading to data loss, persistence, or placement of malicious content in sensitive locations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool exposes all browser session cookies through `get_cookies()` without any visible user confirmation, scope restriction, or enforcement of the optional `urls` filter. Cookies often contain authenticated session material, so unrestricted read access can let an agent exfiltrate secrets and impersonate the user across sites. In a browser-automation skill, this is especially dangerous because the surrounding context likely includes live authenticated sessions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool allows arbitrary cookie injection/modification via `set_cookies()` with no user-facing warning, policy checks, or domain validation. This can let an agent alter authentication state, plant tracking or CSRF-related cookies, or force the browser into attacker-chosen sessions, enabling account confusion, session fixation, or persistence across browsing actions. In this skill context, direct cookie manipulation is highly sensitive because it affects active browser trust boundaries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This tool directly executes caller-supplied JavaScript in the active browser tab without any built-in warning, policy gate, or disclosure that arbitrary page-context code will run. In an agent skill, that increases the chance of unsafe use such as data exfiltration from the DOM, unauthorized page actions, or execution against sensitive authenticated sessions, especially if upstream prompts or users do not clearly understand the capability.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The tool writes screenshot bytes directly to a user-supplied filesystem path with no validation, sandboxing, or restriction to an approved output directory. In an agent context, this can be abused to overwrite arbitrary files writable by the process, place files in sensitive locations, or bypass operator expectations about where captured page content is stored, which increases risk because screenshots may contain sensitive information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This tool performs browser navigation and fetches related resources derived from a user-supplied URL, including /robots.txt, common sitemap paths, nested sitemap URLs, and page URLs listed in sitemaps, without validating or constraining the destination. That creates an SSRF-style capability and can be abused to make the agent access internal services, cloud metadata endpoints, or otherwise sensitive network locations reachable from the agent environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool returns a full ARIA/accessibility snapshot of the current page, including element names, text content, structure, and some properties, without any indication of consent checks, redaction, origin restrictions, or user disclosure. In an agent/browser-use context, this can expose sensitive page content from authenticated sessions or private documents to downstream components or logs, making the data-exposure risk real even if the implementation is not overtly malicious.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool returns a full summary of all open tabs, including each tab's title and URL, even though the requested action is only to switch to one tab. In an agent/browser automation context, this unnecessarily expands data exposure and can leak sensitive browsing context such as internal dashboards, private documents, tokens in URLs, or unrelated user activity to downstream model steps, logs, or callers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This tool enumerates all open browser tabs and returns their titles and full URLs in both structured output and a human-readable summary, which can expose sensitive information such as authentication callback URLs, internal app endpoints, document names, search queries, or account pages. In an agent skill context, this is especially risky because tab metadata from unrelated browsing sessions may be exfiltrated to the model or downstream tools without clear user awareness or scope limitation.

Ssd 4

High
Confidence
97% confidence
Finding
Presenting session capture and reuse as a standard workflow lowers the barrier to credential misuse and makes authenticated replay seem routine. Because browser sessions often include cookies and tokens sufficient to impersonate a user, this can lead to account takeover or unauthorized actions without needing a password.

Ssd 2

Medium
Confidence
94% confidence
Finding
The 'human emulation' recipe is explicitly framed as a method to bypass bot detection on protected sites, which is an evasion tactic rather than a neutral testing feature. In a browser automation context, such guidance can be used to defeat anti-abuse controls and facilitate scraping or other unauthorized automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal