ClawHub

holiday-enough

Security checks across malware telemetry and agentic risk

Overview

This travel-planning skill asks for broad control of a user's live Chrome browser, which is much more access than its purpose requires.

Install only after careful review. If used, run it in a separate Chrome profile with no sensitive accounts or tabs, avoid granting access to private browsing sessions or local files, and stop the proxy after use. The artifact evidence does not show proven malware or external exfiltration, but the browser-control surface is overbroad and under-scoped for the stated travel-planning task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill requires enabling Chrome remote debugging and interacting with a local CDP bridge for a simple travel-duration task, which expands privileges far beyond what is necessary. This creates unnecessary access to the user's browser context and can expose session data or browsing state if misused or if the local bridge is not well secured.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs automated extraction from a logged-in, anti-scraping platform via the user's browser session, including opening pages, reading DOM content, and iterating through multiple notes. This can misuse authenticated access, expose personal account context, and bypass normal user expectations about how their logged-in browser state is used.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a full Chrome DevTools Protocol proxy that can enumerate tabs, create/navigate pages, execute JavaScript, click elements, upload local files, scroll, take screenshots, and manipulate the user's existing Chrome session. That capability is far beyond the stated travel-time evaluation purpose, and because it targets the user's daily browser profile, it can access authenticated sessions and sensitive content if invoked by the skill.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The /eval endpoint accepts arbitrary request body content or query input and passes it directly to Runtime.evaluate in the user's Chrome context. This gives callers unrestricted script execution against any attached page, enabling theft of page data, extraction of tokens from authenticated sessions, DOM manipulation, and triggering privileged browser actions through the user's real browser profile.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The clickAt and setFiles functionality is explicitly designed to bypass normal user interaction barriers, including generating browser-level clicks that count as user gestures and setting file inputs directly. In the context of a skill that should only assess travel duration, these features create an unjustified path to perform sensitive actions on websites, upload local files, or evade anti-automation protections without meaningful user awareness.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The screenshot endpoint can write image data to an arbitrary filesystem path provided by the caller. Although this is less severe than arbitrary JS execution, it still extends the skill into local file write behavior unrelated to travel analysis and can overwrite or plant files in locations the running process can access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script performs Chrome remote-debugging port discovery, opens the browser's remote debugging settings page, and starts a detached CDP proxy process, which is unrelated to a travel-duration evaluation skill. Enabling or guiding users to enable browser remote debugging can expose browser targets, cookies, page contents, and active sessions to local interception or misuse, especially when paired with an always-on local proxy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends browsing targets and extracted page context to a local HTTP service without clearly warning the user that browser-derived data is being transmitted to another process. Even though the destination is localhost, this is still an inter-process data transfer that can leak sensitive URLs, page content, or authenticated browsing context if the service is compromised or overly permissive.

Missing User Warnings

High
Confidence
99% confidence
Finding
The setFiles endpoint allows direct injection of local file paths into a page's file input without any user-facing confirmation. In combination with control over the user's live Chrome session, this can silently upload sensitive local files to remote sites, which is especially dangerous because the skill's declared purpose gives users no reason to expect file exfiltration capabilities.

Missing User Warnings

High
Confidence
97% confidence
Finding
The clickAt endpoint dispatches low-level mouse events specifically to create a real browser gesture, with comments noting it can trigger file dialogs and bypass anti-automation detection. That is a strong indicator of capability intended to circumvent normal safety and consent barriers, and it is unrelated to evaluating trip duration or itinerary fit.

Missing User Warnings

High
Confidence
99% confidence
Finding
Arbitrary JavaScript execution in the user's browser is exposed with no user-facing warning, no approval flow, and no narrowing to travel-related domains or operations. Because this runs in the context of live pages in the user's everyday Chrome, it can covertly read or modify highly sensitive content while appearing to be a harmless travel-planning skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal