ClawHub

MoreLogin

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it should be reviewed because it gives an agent broad control over MoreLogin browser profiles and cloud phones with under-scoped device-control, destructive-operation, and scraping guidance.

Install only if you intentionally want an agent to manage real MoreLogin profiles and cloud phones. Keep the API target on localhost, avoid generic curl/API calls unless you approve the exact endpoint and body, and require explicit confirmation before cache clearing, deletion, ADB enablement, app uninstall, proxy changes, screenshots, cookie access, scraping, or anti-detection automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents and requires capabilities that interact with localhost HTTP services and local tooling (`node`, `adb`), but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: consumers may treat the skill as lower risk than it really is, while it can still drive profile, proxy, and cloud-phone operations through the MoreLogin Local API.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The README states the skill no longer exposes direct cloud phone execution, but immediately provides explicit ADB connection and command examples that let an operator run arbitrary shell commands, install apps, capture screens, and pull files from the device. In a skill focused on browser/profile and cloud phone management, this contradiction can mislead users and downstream agents into treating the capability as unavailable while still enabling powerful device control through the documented workflow.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The security section is internally inconsistent: it says local ADB/SSH methods were removed, yet it still references `exec`, remote cloud phone execution toggles, allowlists, and ADB-related capabilities. Contradictory security claims are dangerous because they can mislead reviewers and operators into believing risky execution paths are gone when they may still exist or be re-enabled.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The example adds a generic scraping capability that is outside the stated MoreLogin administration purpose, including connecting to a browser over CDP, visiting an arbitrary URL from environment input, extracting page data, and writing results to disk. This kind of scope expansion is dangerous because it normalizes using the skill for arbitrary website data collection and can enable misuse or policy violations unrelated to managing local MoreLogin profiles or cloud phones.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code accepts an arbitrary target URL via SCRAPE_URL and uses a connected browser session to navigate and extract structured content, which creates a reusable arbitrary web scraping primitive not justified by the skill's declared purpose. In the context of an anti-detect browser management skill, this is more concerning because it can facilitate covert automation against third-party sites under the cover of profile-management tooling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The example goes beyond managing MoreLogin profiles by attaching to the profile's browser, visiting an external site, extracting page content, and saving a screenshot to disk. In a skill centered on anti-detect browser/profile management, this materially increases capability into generic browser automation and data capture, which can be repurposed to collect sensitive information from authenticated sessions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file is presented as a MoreLogin example but explicitly performs a BTC price lookup on Google, which is outside the declared management scope. Scope expansion is dangerous here because MoreLogin starts real browser profiles that may contain cookies, identities, or active sessions, so unrelated automation can interact with external websites under those identities.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The API exposes `/api/cloudphone/exeCommand`, which permits arbitrary shell-command execution on cloud phones. That is materially more powerful than the manifest’s described cloud phone power/file/app operations, and could be used to run unauthorized commands, alter device state, exfiltrate data, or install tooling on remote devices.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes schedule/RPA task creation, execution, and cancellation endpoints that extend beyond the manifest’s stated capabilities. This expands the automation surface from direct device management into persistent and potentially unattended task orchestration, increasing the risk of stealthy or unintended actions over time.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to record profile names, identifiers, and regional/account metadata in a local documentation file without cautioning that this creates a durable inventory of sensitive operational data. In the context of an anti-detect browser / multi-account automation tool, these identifiers can help an attacker or other local user map accounts, targets, and infrastructure even if they are not direct credentials.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Persisting MORELOGIN_DEFAULT_PROFILE in shell startup files exposes a stable profile identifier through long-lived environment configuration that may be inherited by child processes, surfaced in debugging output, or disclosed in backups/dotfile sync. While not a secret by itself, in this skill it can reveal which anti-detect profile is operationally important and aid account correlation or targeting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README includes concrete ADB commands that can modify the cloud phone state, install software, execute shell actions, and extract screenshots/files, but provides no cautionary framing, consent requirement, or limitation guidance. Because this skill is explicitly for multi-account automation and cloud phone management, such examples materially lower the barrier to intrusive device manipulation and data access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to place an API token in a general TOOLS.md file without any guidance on secure storage, redaction, file permissions, or avoiding commits to version control. In a skill that manages browser profiles, proxies, and cloud phones, exposed tokens could permit unauthorized local API use or account automation abuse.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation includes cache-clearing operations that can remove cookies, local storage, and cloud cache without warning that these actions may log users out, destroy session state, or erase forensic/audit-relevant data. Because this skill targets anti-detect browser profiles and multi-account automation, accidental destructive use is more consequential than in ordinary browser tooling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README documents delete operations for proxies, groups, and tags with no warning that deletion is irreversible and may disrupt profile routing, organization, or automation workflows. In this operational context, accidental deletion can break account isolation setups and cause broad service misconfiguration.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The examples write screenshots, scraped content, and PDFs to local files without warning that these artifacts may contain credentials, PII, account data, or sensitive browsing state. Given the skill's purpose—controlling isolated browser profiles and cloud phones—local artifact creation materially increases the risk of sensitive data retention and leakage.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The documentation exposes irreversible profile deletion and cache-clearing operations without any warning, confirmation guidance, or safeguards. In a skill that manages browser identities and cloud resources, this increases the chance of accidental destructive actions that can erase user state, cookies, and profiles.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Documenting app uninstall operations without warning can lead users or downstream agents to remove software from target cloud phones unintentionally. Because these devices may hold configured apps, sessions, or operational dependencies, accidental uninstall can disrupt workflows and destroy state.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Listing proxy, group, and tag deletion commands without caution encourages unsafe copy-paste execution of destructive actions. In this skill's context, deleting these resources can break routing, organization, and profile management across many managed accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generic API passthrough can invoke arbitrary local API endpoints, including state-changing ones, yet the documentation presents it with no safety framing. In a local browser/cloud-phone management skill, this materially expands the attack surface because users may execute destructive or privacy-impacting operations outside the curated CLI commands.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Later sections repeat destructive resource-management commands with no cautions, reinforcing unsafe operation patterns. Repetition in a usage guide increases the likelihood that an agent or user will treat deletion as routine rather than a high-impact action.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The automation examples normalize screenshot capture, cookie access, form filling, and bulk data extraction without any privacy, authorization, or data-handling warnings. In the context of anti-detect browser profiles and multi-account automation, these examples can facilitate collection of sensitive user/session data and unauthorized automation.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The guide explicitly recommends anti-crawler and anti-detection evasion techniques such as simulating human behavior, adding random delays, and rotating proxies. In a skill already centered on anti-detect browser profiles and multi-account automation, this materially increases misuse potential for fraud, scraping-policy evasion, and account abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script captures and stores a screenshot locally without prompting the user or warning that browser contents will be written to disk. Because the browser session comes from a MoreLogin profile, screenshots may contain sensitive account data, identifiers, balances, or private messages, creating unnecessary local data exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The automation opens an external Google search from a MoreLogin-controlled browser profile without clear disclosure that network requests will be made from that profile context. This can leak the profile's fingerprint, IP/proxy characteristics, cookies, and browsing metadata to a third party, which is especially sensitive in an anti-detect or multi-account environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal