ClawHub

Baoyu Danger Gemini Web

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Gemini web client, but it needs review because it can reuse browser sessions and store live Google/Gemini cookies on disk.

Install only if you are comfortable with a reverse-engineered Gemini Web client using your browser-authenticated Google session. Prefer a dedicated Chrome profile via --profile-dir or GEMINI_WEB_CHROME_PROFILE_DIR, use a dedicated Google account if possible, protect or periodically delete the cookie file, and avoid passing sensitive local files as reference inputs unless you intend to upload them to Gemini.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and enables access to environment variables and networked behavior without declaring equivalent permissions or clearly surfacing that trust boundary to the user. Undeclared capabilities are dangerous because they reduce transparency and can hide sensitive data access, outbound connections, or policy-bypassing behavior behind a seemingly simple generation skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a real and significant mismatch: the skill is presented as a Gemini text/image generator, but the documented behavior includes browser control, extraction/reuse of authentication cookies, persistence of auth material and chat history, and management of Gemini 'gems'. That broader behavior materially changes the security posture because it can access local browser session state and long-lived credentials, increasing the risk of account compromise, privacy exposure, and unintended actions against the user's Gemini account.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file exposes full CRUD operations for Gemini 'gems' (fetch, create, update, delete), which are effectively saved personas/prompts and persistent account-scoped state. That capability exceeds the stated skill scope of text/image generation and can let the skill read or modify a user's saved prompts without clear user intent, creating a scope-creep and unauthorized state-manipulation risk. In this context, the mismatch is more dangerous because reverse-engineered web APIs often operate with the user's live authenticated session, so these methods could silently alter persistent data tied to the account.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code automatically loads Google authentication cookies from the local browser, combines them with cached values, and persists working session cookies to disk for later reuse. That gives the skill access to broader account-authentication material than a normal text/image generation backend should require, and if the host is multi-tenant or the cache is exposed, those cookies could enable unauthorized access to the user's Google account session.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code actively connects to an existing or newly launched Chrome debugging session, reads Google/Gemini cookies for multiple Google domains, verifies session validity, and then persists those cookies to disk. That behavior is credential harvesting: it captures reusable authenticated session material outside normal browser boundaries, enabling account/session takeover and going well beyond the stated image/text generation purpose.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code enumerates default Chrome user-data directories, reads DevToolsActivePort files, inspects running processes, and connects to any reachable local Chrome DevTools endpoint. That allows the skill to attach to and manipulate an already-running browser profile, potentially accessing authenticated tabs, cookies, page content, and session state far beyond the stated Gemini generation backend purpose. In this skill context, the ability to reuse arbitrary existing Chrome sessions is especially dangerous because it expands from 'generate content' into stealthy browser/session inspection.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The client persists authenticated Gemini web cookies to disk via write_cookie_file(...) immediately after initialization, with no indication in this file that the user explicitly consented to credential storage or that the file is protected. Persisted session cookies are bearer secrets; if the host, workspace, logs, backups, or artifact bundle are accessed by another process or user, the attacker can replay the session and act as the authenticated account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The auto-refresh path writes refreshed __Secure-1PSIDTS cookie material back to disk, extending the lifetime of locally stored authentication secrets. This increases exposure because a stolen cookie file remains current over time, making session hijack more practical and reducing the protective value of cookie expiration.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The save method performs a network fetch of an attacker-controlled URL, follows redirects, and writes the response directly to disk with no unconditional user-facing notice or approval. In an agent skill context, this can enable silent remote content retrieval and file creation, increasing the risk of SSRF-like access to internal resources, unintended downloads, or persistence of untrusted content on the host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code persists authentication cookie data to disk in plaintext JSON, which can expose sensitive session tokens to other local users, backup systems, logs, or malware if file permissions are not tightly restricted. In the context of a reverse-engineered Gemini Web API client, these cookies likely represent live authenticated web sessions, so theft could enable account/session hijacking and unauthorized access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
At this point in the flow, the skill attempts to read cookies from Chrome/Google without any evidence in this file of explicit warning, consent, or interactive confirmation. Accessing browser session cookies is highly sensitive because it can silently repurpose an existing authenticated session and bypass normal login expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code writes successful authentication cookies back to a cookie file after initialization, creating a durable on-disk copy of sensitive Google session material. Persisting such cookies increases the chance of credential theft via local compromise, accidental backup/sync leakage, or later misuse by unrelated code.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file writes harvested browser cookies to a local cookie file without any user-facing disclosure or consent mechanism in this code path. Persisting live authentication cookies increases exposure because other local processes, future runs, backups, or accidental file disclosure can reuse those credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code writes the refreshed `__Secure-1PSIDTS` authentication cookie to a predictable on-disk cache file derived from the `__Secure-1PSID` value. Session cookies are highly sensitive bearer secrets, and persisting them to disk increases the attack surface through local file disclosure, weak filesystem permissions, backups, logs, or multi-user environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function reads an arbitrary local file path and uploads its full contents to a remote Gemini-related endpoint, with no in-function consent check, allowlist, or disclosure mechanism. In an agent skill context, that is dangerous because another component or prompt path could cause sensitive local files to be exfiltrated to an external service without the user clearly understanding that a local file is being transmitted.

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
candidates.push(merge_cookie_maps(extra, cookies));
      }
    } catch (e) {
      if (verbose) logger.warning(`Failed to load cookies via Chrome CDP: ${e instanceof Error ? e.message : String(e)}`);
    }
  }
Confidence
89% confidence
Finding
cookies via Chrome

YARA rule 'info_stealer': Information stealer patterns (credential harvesting, browser data theft) [malware]

High
Category
YARA Match
Content
}
}

async function fetch_cookies_from_existing_chrome(
  timeoutMs: number,
  verbose: boolean,
): Promise<CookieMap | null> {
Confidence
99% confidence
Finding
cookies_from_existing_chrome; Cookies = hasExplicitProfile ? null : await fetch_cookies_from_existing_chrome; cookies_from_existing_chrome

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal