Back to skill

Security audit

07 互联网访问

Security checks across malware telemetry and agentic risk

Overview

This skill provides real web-access functionality, but it also imports and stores browser session cookies, changes the host environment, and installs itself into agent directories with insufficient consent and scoping.

Install only if you are comfortable with an agent managing system packages and handling account/session credentials. Prefer safe or dry-run mode, avoid sending cookies or API keys through chat, use dedicated low-privilege accounts, review any ~/.bashrc and skill-directory changes, and remove stored cookies/configuration when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises broad capabilities including shell commands, environment-variable handling, file reads/writes, and network access, yet declares no permissions. This creates a transparency and governance failure: an agent or reviewer cannot accurately understand the trust boundary before installation or use, increasing the chance of unexpected local system changes, secret access, or outbound data flows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is simple web access, but the described behavior expands into local browser cookie extraction, persistence of secrets, environment/profile modification, package installation, security scanning, monitoring, and cross-skill bridging. This mismatch is dangerous because users may grant trust for a narrow browsing function while the skill actually gains access to sensitive local data and performs privileged host changes far outside that scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The installer performs system-level package installation, repository modification, and global npm installs, which are outside the normal scope of a web-access skill. This broad host-modification capability meaningfully increases risk because compromise or misuse of the skill can alter the user's operating environment, package trust roots, and available executables.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The installer writes a skill file into multiple agent/framework skill directories and even creates a default persistence location under ~/.openclaw/skills. For a web-access skill, modifying other agent environments is beyond the stated purpose and creates persistence behavior that can surprise users or be abused to plant capability into other runtimes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file’s behavior materially exceeds a generic 'web access' capability by harvesting local browser cookies for specific third-party services and turning them into reusable credentials. This mismatch is dangerous because it hides sensitive credential-access functionality behind an innocuous description, reducing user awareness and informed consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads authentication cookies from local browsers and persists them as configuration values, effectively importing live session credentials for Twitter/X, XiaoHongShu, and Bilibili. Session cookies can grant account access without passwords, so this creates a direct credential-exfiltration and account-takeover risk if the agent, logs, config store, or downstream components are compromised.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring presents the module as general platform support, but the implementation specifically extracts login cookies and configures them as credentials for named services. This framing obscures the true sensitivity of the operation and increases the chance that users or reviewers will approve or run it without understanding it accesses authenticated browser state.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The guide claims the provided Twitter cookies are '只读' and that the agent will not perform actions, but auth_token and ct0 are session credentials that can generally authenticate the user and may permit posting, liking, DM access, or other account actions depending on account state and tool behavior. Misrepresenting these credentials as read-only lowers user caution and increases the chance they will disclose full-account secrets to an agent or operator.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The installer appends a proxy setting to ~/.bashrc, creating persistent shell state outside the skill's own directory. This exceeds a minimally scoped install action and can silently affect unrelated future shell sessions, network behavior, or other tools run by the user.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The script tells the user it is saving a YouTube proxy as an environment variable, but actually persists it in ~/.bashrc. This mismatch is dangerous because it obscures the lasting side effect, reducing informed consent and making unexpected proxying of later sessions more likely.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The bridge persists fetched web content into a local memory database and cache even though the skill is presented as providing internet access. This creates unnecessary data retention and expands the trust boundary: content obtained from external sources may contain sensitive information, and storing it locally increases exposure, especially without explicit consent or retention controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code prepends a home-directory path to sys.path and imports local modules from that location, allowing execution of arbitrary code placed in ~/ai-skills. In a security-sensitive agent environment, this weakens module trust guarantees and can be abused through path hijacking or malicious local skill placement.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
During install on a local machine, the tool automatically attempts to import browser cookies from Chrome/Firefox without asking for consent at the moment of access. Browser cookies are highly sensitive session credentials, and automatic extraction materially raises the risk of unauthorized account access if the agent or host is compromised or if the user did not understand this side effect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The --from-browser option advertises auto-extracting all platform cookies but does not clearly warn that this reads sensitive browser session data. Users may invoke it expecting convenience without realizing it accesses reusable authentication material.

Missing User Warnings

High
Confidence
97% confidence
Finding
The browser cookie extraction code accesses highly sensitive authentication material from the user’s local browser without any visible warning, disclosure, or consent gate in the code path. Because cookies like auth_token, ct0, and SESSDATA can represent active sessions, silently reading them can enable unauthorized impersonation and data access.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code writes extracted session cookies directly into configuration keys, turning ephemeral browser state into persisted credentials with no user warning. Persisting these values broadens exposure to logs, backups, other components, and local compromise, making theft and replay of authenticated sessions significantly easier.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide instructs the agent to accept a user-provided Groq API key, persist it in configuration, and test it, but provides no guidance on secure handling, redaction, least-privilege storage, or avoiding exposure in logs/history. In an agent setting, asking for and storing secrets without safeguards increases the risk of credential leakage through chat transcripts, config files, telemetry, or debugging output.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly tells the user to send a proxy URL containing username and password to the agent, but provides no warning about secret handling, storage, redaction, or scope of use. In an agent context, this increases the risk of credential exposure through chat logs, telemetry, debugging output, or unintended reuse, especially because the credential is then persisted in configuration.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions tell the user to export and send Twitter authentication cookies to the agent, which are highly sensitive secrets that can enable account takeover or impersonation if mishandled, logged, or exposed. In an agent skill context, this is especially dangerous because users may assume the assistant is a safe channel and may not understand that chat transcripts, plugins, or backend services could retain the credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs the agent to install Playwright and Chromium on the user's system and even tells the user they "do not need to do anything," which normalizes silent system modification. In an agent skill, automatic package and browser installation changes the host environment, consumes significant disk space, and may violate least-privilege or user-consent expectations, making this a real security and safety issue.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly tells users to log in and notes that authentication cookies will be stored inside the Docker container for 1–3 months, but it does not warn that these cookies are effectively session credentials. If the container, host, mounted volume, or backups are accessed by another party, the stored session may be reused to impersonate the user and access their Xiaohongshu account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The proxy example embeds credentials directly in the command line (`http://user:pass@ip:port`) without warning that command-line arguments may be exposed through shell history, process listings, logs, screenshots, or copied configs. This can lead to accidental disclosure of proxy secrets and downstream abuse of the proxy account or infrastructure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Persisting a proxy setting by appending to ~/.bashrc without an explicit warning modifies the user's startup configuration in a way that is not obvious from the prompt. In a web-access skill, proxy settings can reroute traffic and impact privacy, connectivity, and behavior of unrelated software.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer writes the Twitter auth_token to cookies.json on disk before encryption, without clearly warning the user that a sensitive session credential will exist temporarily in plaintext. If another local process or backup tool accesses that file before deletion, the token could be exposed and account access compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Fetched content is written to local JSON cache files without a clear upfront warning, consent flow, or safeguards around what data may be retained. Web-access content can include sensitive or regulated information, so silent persistence raises confidentiality and privacy risks if the host is shared, backed up, or later compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.