Ai Pa Browser Clawdbot

Security checks across malware telemetry and agentic risk

Overview

This is a powerful but coherent browser-automation skill, with sensitive capabilities that fit its stated purpose and are partly disclosed in its security notes.

Install only if you want an agent to operate browser sessions. Prefer isolated sessions over your real Chrome profile, protect saved state and auth files like passwords, avoid committing them, use eval/network routing only on trusted sites, and delete recordings or session files when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: `agent-browser eval "document.title"` documents arbitrary JavaScript execution in the browser context, which is materially more powerful than simple navigation and accessibility snapshotting. In an agent setting, this can be abused to read or manipulate page DOM, extract sensitive data present in the page context, or perform unintended actions on authenticated sites.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Network routing and response modification (`network route ... --abort` / `--body`) enables interception, suppression, and tampering with browser traffic. In an AI-agent workflow this can facilitate credential capture, deceptive page manipulation, bypass of normal application behavior, or stealthy exfiltration/testing beyond the stated browsing purpose.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents saving and loading browser state files, which commonly contain authenticated session cookies, tokens, and other sensitive browsing artifacts, but provides no warning about their sensitivity or safe handling. In an AI-agent context, this increases the chance that operators or downstream automations persist reusable authentication material insecurely, enabling session theft or unintended cross-task credential reuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: State save/load for browser auth data can persist cookies, tokens, and session artifacts to disk without any warning in the reference. In an agent environment, this increases the risk of credential leakage, accidental reuse across tasks, and unauthorized access if the saved state file is exposed.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Video recording can capture full page contents, user inputs, account information, and other sensitive activity, yet the documentation provides no privacy or handling warning. For an AI-operated browser, recording amplifies exposure because sensitive workflows may be captured and stored automatically.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Commands for credentials, cookies, and local storage directly manipulate secret and session material, but the reference omits any caution about secure handling. This can lead agents or users to expose passwords, session tokens, and persistent identifiers in logs, scripts, or shared artifacts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example explicitly saves and reloads authenticated browser state to a local file without any warning that the file may contain sensitive session cookies or tokens. In an agent-oriented browser automation tool, users may copy this pattern directly and store reusable auth material insecurely, enabling session theft or unintended account access if the file is exposed.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The multi-session example loads separate admin and user authentication state files but gives no guidance on privilege separation, secure handling, or the risk of mixing high-privilege sessions. In this context, agents may automate both roles, so weak handling of admin state can lead to privilege confusion, leakage of privileged sessions, or accidental use of admin credentials in broader workflows.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The recording example demonstrates capturing a browser session after loading authenticated state, but it does not warn that the resulting video may contain account data, tokens visible in the UI, internal application content, or other sensitive information. Because this skill is designed for headless/browser automation by agents, users may record real sessions and unintentionally create durable sensitive artifacts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal