ClawHub

Brave Browser Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful live-browser automation tool that is mostly disclosed, but it gives broad control over a logged-in daily Brave profile and includes under-scoped anti-detection, session-data, and publishing workflows.

Install only if you are comfortable giving the agent control of a logged-in Brave profile. Prefer a separate Brave profile or test browser with no personal sessions, avoid using the cookie/storage examples unless explicitly needed, review every click-smart or publish-related command before use, and do not run it on accounts or pages where unintended posting, form submission, or data capture would be harmful.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill goes beyond ordinary browser automation and explicitly documents anti-detection techniques, framework-specific click bypasses, editor syncing, and publish-validation workflows for authenticated platforms. This is dangerous because it operationalizes evasion of site interaction defenses and enables automated actions under the user's existing logged-in sessions, increasing the risk of unauthorized posting, account abuse, and policy circumvention.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation presents a 'read-first' and low-modification posture, but later provides extensive instructions for clicking, typing, key presses, editor synchronization, form submission, and publication validation. This inconsistency is dangerous because it can mislead reviewers or invoking agents about the real risk profile, causing state-changing actions to be performed where a read-only tool was expected.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation materially expands the skill from ordinary browser automation into anti-detection/evasion usage, which increases the likelihood the tool will be used to bypass site safeguards rather than simply browse or extract content. In a browser-control skill, guidance framed around avoiding detection lowers friction for abusive scraping or policy evasion and exceeds the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The examples explicitly show how to read cookies, localStorage, and sessionStorage, which can expose authenticated session material, tracking identifiers, tokens, and other sensitive browser state. For a browsing/extraction skill, this broadens capability into credential/session data access without any guardrails, making misuse substantially more dangerous.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The anti-bot and anti-detection guidance is not necessary to satisfy the stated browsing and extraction purpose, but it does help operators interact with sites in ways intended to avoid detection. That makes the skill more suitable for scraping against site controls or abuse of web services, increasing misuse risk beyond normal automation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Referencing site-specific anti-detection strategies signals that the skill supports tailored evasion workflows for particular services, which is outside the declared browser automation scope. This creates a stronger operational path for misuse because it couples browser control with service-specific methods to reduce detection.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script is presented as a CDP execution helper, but the CLI also dispatches into multiple other local automation modules, materially expanding its behavior surface beyond the documented direct browser-control functions. In an agent skill, this hidden delegation increases the chance of unexpected actions, broader page interaction, and less auditable execution paths, especially when combined with arbitrary browser automation against the user's live Brave profile.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This helper goes beyond neutral browser clicking by automatically syncing editor state and validating whether a publish action succeeded. In the context of a browser-control skill, that materially increases the capability to complete content-submission workflows and hide ambiguity around irreversible actions, which raises the risk of unauthorized or unintended posting if higher-level callers invoke it on the wrong page or target.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code force-invokes React/Vue internals, event handlers, editor APIs, and even attempts to spoof trusted user events, bypassing normal UI interaction constraints. That is dangerous because it can trigger application behavior that ordinary automation could not, including hidden, guarded, or intentionally hard-to-automate actions, increasing the chance of unauthorized state changes or abuse against web apps controlled through this skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly attaches to the user's daily Brave browser instance, which contains active login sessions and bookmarks, but it does not prominently warn that this grants access to highly sensitive account and browsing data. In context, this is especially dangerous because CDP access can inspect pages, extract content, take screenshots, and perform actions as the user across already-authenticated services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation normalizes extraction of cookies and browser storage without any warning that these locations often contain secrets, auth tokens, PII, or session state. In the context of a browser automation skill, this omission is dangerous because it encourages sensitive-data access as a routine pattern and can facilitate account compromise or covert collection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly enables automated publish/submit flows across multiple platforms and even includes success validation, but it does not warn that these actions may be irreversible or require explicit user confirmation. In a browser automation skill, this omission increases the risk of unintended real-world content publication, especially when combined with resilient fallback click strategies that bypass normal UI safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly teaches anti-detection browsing patterns and content extraction from third-party sites, including comments and detail pages, without guardrails, warnings, or authorization constraints. In a browser-automation skill, this materially increases the likelihood of misuse for stealthy scraping, evasion of site defenses, and collection of user-generated content in ways that may violate site policies or privacy expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This tool exposes arbitrary JavaScript execution in a selected live browser tab without any safety prompt, capability restriction, or trust boundary warning. In the context of a Brave CDP agent attached to the user's daily browser, injected JS can read page content, interact with authenticated sessions, manipulate forms, and exfiltrate sensitive data from open sites.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Screenshot capture silently writes rendered page contents to disk, which may include credentials, personal data, session-specific information, or confidential documents visible in the user's active browser context. In this skill's context, targeting a real daily Brave instance makes accidental or unauthorized persistence of sensitive data more dangerous than in an isolated test browser.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The smart-click flow can execute publish or submit operations and then treats success indicators as confirmation, but there is no user-facing warning, confirmation gate, or action classification for irreversible operations. In a browser automation agent, this makes accidental or prompt-induced posting materially more dangerous because a single call can complete a real-world side effect without friction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal