ClawHub

Autoglm Browser Agent

Security checks across malware telemetry and agentic risk

Overview

This is a powerful browser automation skill whose behavior is mostly disclosed, but it asks for enough account control, local execution, persistence, and screenshot sharing to require careful review before use.

Install only if you trust the publisher, the Chrome extension, and the local relay/server binaries. Keep trust mode off for normal use, avoid financial or highly sensitive accounts, review any Feishu or IM credential setup, and clear ~/.openclaw-autoclaw state plus stop the relay after sensitive tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs the agent to remove macOS quarantine attributes from local binaries and launch a background relay process before browser actions. That expands the skill from ordinary browser automation into local code execution and persistence, increasing the risk of running untrusted binaries or weakening host protections without explicit user approval.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The skill requires reading a local session/state file to decide how to continue browser activity. While limited in scope, this extends the skill into local filesystem access unrelated to the immediate browser command, creating unnecessary exposure of host state and cross-task context.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
Persisting a trust-mode preference in a local config file allows future sensitive actions to be auto-approved without per-action confirmation. That creates durable authorization beyond the current interaction, so later tasks may perform account actions with reduced user visibility.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The file gives contradictory rules: task text must exactly match user input, but elsewhere it instructs rewriting tasks by adding defaults and stripping non-browser parts. Such ambiguity can cause the agent to silently transform user intent, potentially broadening actions or performing operations the user did not explicitly request.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill claims to only support browser operations, but later includes IM-channel delivery workflows and local file upload behavior. This mismatch obscures the real capability surface and can mislead users and orchestrators about data exfiltration paths and side effects.

Vague Triggers

High
Confidence
94% confidence
Finding
The activation rule triggers whenever the user mentions any website, URL, or web operation, which is overly broad for a skill that can log in, post, message, and interact with accounts. Over-selection increases the chance that this powerful skill is invoked for benign browsing requests where a less privileged tool would suffice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description advertises broad capabilities including login, posting, messaging, and social interactions, but lacks a prominent warning about account-impacting actions and credential-related risk. In this context, insufficient disclosure makes misuse more likely because users may not realize the skill can take real actions on live services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal