ClawHub

God of all Browsers

Security checks across malware telemetry and agentic risk

Overview

This is a powerful browser automation skill whose core behavior is disclosed, but it combines persistent login sessions, bot-evasion, arbitrary in-page JavaScript, and automatic confirmations in ways users should review carefully.

Install only if you intentionally need high-power browser automation. Use a dedicated non-sensitive browser profile in an isolated environment, avoid important accounts, do not automate sites where you lack permission, review every eval script before running it, and manually delete chrome_profile, session.json, recordings, and learning files when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The eval command allows arbitrary JavaScript execution in the browser context, including code loaded from external files, which enables unrestricted DOM manipulation, data extraction, and potentially sensitive actions under the user's authenticated session. Requiring a --force flag is not a meaningful security boundary if an agent or operator can still invoke it, especially in a skill explicitly designed for automation against protected sites.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The eval command intentionally executes attacker-supplied JavaScript inside the active browser page via AsyncFunction, with only a weak opt-in guard (--force or GOD_AUTO_EVAL=true). In a browser automation skill that persists cookies and sessions, this enables arbitrary DOM access, credential theft, session exfiltration, and actions as the logged-in user across any visited site.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script intentionally harvests Google Maps listing data into structured CSV/JSON output, including phone numbers, addresses, websites, and map links for up to 50 businesses. In the context of a browser automation skill whose description emphasizes human-like browsing and persistent cookies, this materially expands the capability into bulk contact scraping, which can facilitate lead harvesting, unsolicited outreach, or terms-of-service violations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The stored learning entry explicitly recommends preserving an authenticated LinkedIn session to enable persistent automation after manual login. In the context of a browser automation skill that already emphasizes cookie persistence and anti-bot behavior, this creates a durable capability for authenticated scraping or account misuse beyond ordinary browsing assistance.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes permanent preservation of login sessions and cookies via a persistent profile and session export, but provides no meaningful privacy or security warning about storing authenticated state on disk. If the host is shared, compromised, or reused across tasks, those artifacts can be stolen or misused to impersonate the user across websites.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Automatically clicking away popups without user confirmation can trigger unintended consent, dismiss legal notices, accept tracking, or interact with security-relevant prompts. In a browser automation context, that behavior is especially risky because it operates on arbitrary third-party websites where the semantic meaning of a popup cannot be safely generalized.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The eval capability is presented as usable with a --force flag but lacks a clear warning that arbitrary browser-context JavaScript can read page content, alter application state, submit actions, and access data exposed to the logged-in session. In this skill's context—stateful automation with preserved cookies and anti-detection features—that omission makes the capability substantially more dangerous, not less.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
After typing, the tool automatically presses Enter without explicit consent or warning, which can submit forms, trigger purchases, send messages, or execute other state-changing actions. In a browser automation tool with preserved authenticated sessions, this side effect increases the chance of unintended or harmful actions on behalf of the user.

Missing User Warnings

High
Confidence
93% confidence
Finding
The code auto-accepts all dialogs across pages, which can bypass user intent and confirm destructive or sensitive operations such as navigation warnings, deletions, downloads, or transaction confirmations. In an automation context that aims to mimic human behavior and maintain sessions, silent acceptance materially increases the risk of unsafe actions being completed without review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code extracts and normalizes phone numbers and addresses from listing panels without any notice, consent workflow, or disclosure to the user about collecting contact information. While business listing data is often public, automated aggregation at scale increases privacy and abuse risk, especially when paired with a browser automation tool designed to evade detection and preserve session state.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The natural-language lesson advises maintaining a saved LinkedIn login session so automation can continue accessing content unavailable to guests. That is dangerous because it normalizes persistent authenticated access for data extraction, increasing the risk of unauthorized scraping, privacy violations, and reuse of stored credentials or session cookies.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal