ClawHub

browser-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed browser-automation helper, but it can control an already logged-in Chrome session and includes under-scoped remote-debugging and network-allowlist guidance.

Install only if you intentionally want an agent to operate a real Chrome browser. Prefer a dedicated low-privilege Chrome profile, keep DevTools bound to localhost, do not expose port 9222 on a network, keep SSRF allowlists narrow, and require explicit confirmation before submitting forms, posting content, changing account settings, or using authenticated sites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly documents exposing Chrome DevTools remote debugging over the network and attaching to a boss's already logged-in browser session. That creates a powerful remote-control channel into authenticated web sessions, enabling account takeover, data exfiltration, and unauthorized actions far beyond normal browser automation; the 'boss logged-in browser' context makes this substantially more dangerous.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes guidance to modify SSRF allowlists and restart the gateway to reach additional hosts, which expands network reach beyond ordinary page automation. In combination with browser/network tooling, this can weaken platform protections and facilitate access to internal, private, or otherwise restricted destinations if misused.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are extremely broad for a skill that can remotely control an existing Chrome session, causing accidental invocation during normal browsing-related requests. In this context, unintended activation can expose authenticated sessions, page contents, and browser actions to automation without clear user intent, which raises privacy and integrity risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README promotes remote control of Chrome, operation against blocked sites, and SSRF allowlist configuration, but does not warn users about the security consequences of attaching to a live browser session. Because the skill can interact with authenticated pages and potentially weaken network access restrictions, missing warnings materially increase the chance of unsafe deployment and misuse.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger phrases are extremely broad and map to many ordinary browsing requests, increasing the chance the skill auto-activates in situations the user did not intend. Because this skill can drive a real logged-in browser session, overbroad invocation materially raises the risk of unintended sensitive actions on real accounts and data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states the browser is the boss's logged-in Chrome and that the tool directly controls that session, but it does not present this as a prominent safety warning to the end user. Users may not realize actions can affect real accounts, spend money, change settings, or expose sensitive data, making accidental misuse much more likely.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal