ClawHub

Multilogin X

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches Multilogin browser automation, but it needs review because it handles account credentials, installs unverified external binaries, and shows unsafe cross-node credential passing.

Install only if you trust the Multilogin binary source and are comfortable giving an agent access to your Multilogin account and browser profiles. Use a dedicated low-privilege account, avoid putting passwords in prompts or command lines, do not send credentials through sessions_spawn messages, verify downloaded binaries where possible, stop the launcher when finished, and clear or revoke local xcli tokens on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s declared purpose is limited to managing Multilogin browser profiles and launcher state, but the documented command surface exposes much broader administrative capabilities including folders, workspaces, scripts, objects, tags, billing, and security controls. This overbroad scope increases the chance an agent will invoke sensitive or destructive operations outside user intent, violating least privilege and expanding the blast radius of misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The inclusion of 2FA management commands is unrelated to the stated purpose of browser-profile management and exposes account-security controls that could disable or weaken user protections. In an agent context, this is especially dangerous because an agent given this skill could be induced to alter authentication settings or access backup codes under the guise of routine profile operations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Object and extension management, especially creating extensions from external URLs, goes beyond simple profile management and introduces a path for importing untrusted code or data into browser environments. This broadens the skill from profile orchestration into software/content installation, which materially raises supply-chain and persistence risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs use of cross-agent delegation via sessions_spawn, which extends its effective power beyond local xcli profile management into remote task execution on another node. This creates an additional trust boundary and can propagate sensitive commands and data to another agent context, increasing the chance of unauthorized execution or leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to collect credentials and notes that tokens are stored locally, but it does not warn about secret exposure, shell history leakage, process-list visibility, or local token persistence. In practice, this encourages unsafe credential handling patterns that may expose account access to logs, other local users, or downstream tools.

Missing User Warnings

High
Confidence
99% confidence
Finding
The delegation example embeds plaintext credentials directly inside a spawned node message, which can expose them to logs, traces, message stores, debugging tools, and the remote node operator. Because the credentials are transmitted across an inter-agent boundary, this materially increases both exposure surface and persistence of the secret.

Ssd 3

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to request, handle, and potentially relay account credentials in plain language, creating a direct semantic data-leak risk. Credentials are among the highest-sensitivity data types, and normalizing plaintext handling makes compromise via logs, transcripts, memory, or operator review far more likely.

Ssd 3

High
Confidence
100% confidence
Finding
The example message to the spawned node contains a raw username and password, which is a textbook secret exfiltration pattern across a messaging boundary. This is especially dangerous in agent systems because task messages are often retained, observable by infrastructure, and accessible to multiple components beyond the immediate recipient.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal