ClawHub
Back to skill

Security audit

UI-Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real UI automation skill, but it needs review because it gives broad browser, desktop, cookie, file, and process-control power without enough safety boundaries.

Install only in an isolated test environment or dedicated profile, not on a personal or production desktop. Avoid real accounts, secrets, sensitive screens, and broad file paths unless you explicitly intend the agent to control them. Treat the shell, cookie/session persistence, file upload, screenshot, and process-kill features as high-risk operations that need user approval and tight scoping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (31)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[vbox] ⚠️ Xvfb not responding — restarting on {display}...")
    
    # Kill any existing Xvfb
    subprocess.run(
        ["pkill", "-9", "-f", f"Xvfb {display}"],
        capture_output=True
    )
Confidence
86% confidence
Finding
subprocess.run( ["pkill", "-9", "-f", f"Xvfb {display}"], capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass

    # Kill any remaining
    subprocess.run(
        ["pkill", "-9", "-f", f"remote-debugging-port={CDP_PORT}"],
        capture_output=True
    )
Confidence
84% confidence
Finding
subprocess.run( ["pkill", "-9", "-f", f"remote-debugging-port={CDP_PORT}"], capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
raise RuntimeError("Xvfb failed to start")

    # Kill any existing Chrome
    subprocess.run(
        ["pkill", "-9", "-f", f"remote-debugging-port={CDP_PORT}"],
        capture_output=True
    )
Confidence
84% confidence
Finding
subprocess.run( ["pkill", "-9", "-f", f"remote-debugging-port={CDP_PORT}"], capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("[vbox] launching Chrome...")

    _proc = subprocess.Popen(
        ["google-chrome"] + CHROME_FLAGS + ["about:blank"],
        env=env,
        stdout=subprocess.DEVNULL,
Confidence
95% confidence
Finding
_proc = subprocess.Popen( ["google-chrome"] + CHROME_FLAGS + ["about:blank"], env=env, stdout=subprocess.DEVNULL, stderr=subprocess.PIPE, start_new_session=

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [binary] + list(args)
    print(f"[launch] {app} on {display}")

    proc = subprocess.Popen(
        cmd, env=env,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL
Confidence
80% confidence
Finding
proc = subprocess.Popen( cmd, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def kill_app(name):
    """Kill app by process name."""
    subprocess.run(["pkill", "-f", name], capture_output=True)
    time.sleep(0.5)
    print(f"[kill] {name}")
Confidence
93% confidence
Finding
subprocess.run(["pkill", "-f", name], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if running:
    print("✅ FM.1 PASSED")
    subprocess.run(["pkill", "-x", "nautilus"], capture_output=True)
else:
    print(f"❌ FM.1 FAILED - nautilus not running")
Confidence
82% confidence
Finding
subprocess.run(["pkill", "-x", "nautilus"], capture_output=True)

Tainted flow: 'display' from os.environ.get (line 166, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
print(f"[vbox] ⚠️ Xvfb not responding — restarting on {display}...")
    
    # Kill any existing Xvfb
    subprocess.run(
        ["pkill", "-9", "-f", f"Xvfb {display}"],
        capture_output=True
    )
Confidence
87% confidence
Finding
subprocess.run( ["pkill", "-9", "-f", f"Xvfb {display}"], capture_output=True )

Tainted flow: 'env' from os.environ.get (line 167, credential/environment) → subprocess.Popen (code execution)

Medium
Category
Data Flow
Content
print("[vbox] launching Chrome...")

    _proc = subprocess.Popen(
        ["google-chrome"] + CHROME_FLAGS + ["about:blank"],
        env=env,
        stdout=subprocess.DEVNULL,
Confidence
72% confidence
Finding
_proc = subprocess.Popen( ["google-chrome"] + CHROME_FLAGS + ["about:blank"], env=env, stdout=subprocess.DEVNULL, stderr=subprocess.PIPE, start_new_session=

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The type_human feature is explicitly documented as helping avoid bot detection, which goes beyond normal UI automation into evasion of security and anti-abuse controls. In an agent skill that can browse arbitrary sites, this capability can facilitate credential stuffing, scraping, fake account creation, or policy evasion at scale.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code deliberately uses suppress_origin=True and comments that this bypasses Chrome's origin check, indicating circumvention of a browser security control protecting the DevTools websocket. In a local environment with a shared Chrome profile and exposed debugging port, this weakens trust boundaries and increases the chance of unauthorized CDP control if another process can reach the endpoint.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A helper that can terminate arbitrary processes by name exceeds the minimum capability needed for normal UI testing and creates a host-disruption primitive. In the context of an automation agent, this is more dangerous because the agent can affect the broader desktop session rather than only the application under test.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The desktop automation section describes launching applications and sending simulated keystrokes, including save shortcuts and file-manager interactions, without warning that these actions can modify user files or trigger unintended operations on a live desktop. In a real environment, synthetic input can affect the wrong window or application and cause data loss or unauthorized changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The session persistence guidance explicitly reads browser cookies and restores them after restart, but it does not include a privacy or security warning. Cookies can represent authenticated sessions or sensitive tokens, so documenting this as a convenience feature without disclosure normalizes behavior that could enable session theft or account takeover if misused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This section markets broad browser and desktop automation features such as terminal execution, file manager access, window launching, cookie handling, and bot-detection bypass without any adjacent warning about the potential for destructive actions, privacy impact, credential/session misuse, or unintended system changes. In a skill that can act on both the local desktop and browser, omission of safety boundaries materially increases the chance that users deploy or invoke it in risky ways they do not fully understand.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The deployment text tells users the skill is 'production ready for real-world automation' while presenting powerful automation capabilities as ready for use, but it does not disclose the operational and security risks of browser and desktop control. This can lead users to over-trust the tool, especially because the documented capabilities include session/cookie handling and direct desktop interaction, which can affect sensitive data and system state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes screenshot capture and full UI snapshotting but does not clearly warn that these features can collect sensitive on-screen data, such as emails, passwords, tokens, personal messages, or confidential application content. In a universal desktop automation skill, this omission is material because the capability spans arbitrary applications and can expose broad user data if used carelessly or maliciously.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Gmail example walks through composing and sending a real email, including navigation and final send actions, without a prominent warning that this can trigger irreversible outbound communication. In an automation skill, examples strongly shape usage, so omitting an execution warning increases the risk of accidental emails, data disclosure, impersonation, or misuse against third parties.

Missing User Warnings

High
Confidence
97% confidence
Finding
The shell() tool is documented as accepting arbitrary commands without any warning about destructive, persistence-establishing, data-exfiltrating, or privilege-impacting behavior. In the context of a UI automation agent that already has desktop visibility and input control, unrestricted shell execution substantially increases the attack surface and can turn the skill into a general-purpose system compromise primitive.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly recommends restoring Chrome profiles and manually importing/exporting cookies, but provides no warning that profile data may contain sensitive session tokens, browsing data, or credentials. In a UI automation skill, these instructions normalize handling browser state in ways that could expose private data or enable session hijacking if adopted without safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The form-filling helpers are designed to populate fields including credentials, and they log selectors and actual values back to stdout. This creates a clear risk of secret disclosure through logs, transcripts, crash dumps, or downstream observability systems, especially because the skill is intended for broad browser automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upload_file helper can set arbitrary local file paths into web page file inputs without a user-mediated picker or warning, enabling silent exfiltration of local files to a remote site once the page submits the form. In a general-purpose UI agent, this significantly increases the risk of leaking host data, credentials, keys, or documents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The anti-detection typing capability is presented without any safety constraints, warnings, or approved-use boundaries. That omission makes misuse easier in contexts where websites rely on behavioral detection to prevent fraud or abuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The screenshot helper captures the full desktop and writes it to disk without any user-facing disclosure, consent, or data-minimization controls. In a universal UI automation skill, this is materially risky because screenshots can contain credentials, personal data, tokens, or unrelated application content from the host desktop.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The process-killing helper performs a destructive action with only a minimal log message and no meaningful confirmation, scoping, or safeguards. In an agent-driven desktop environment, that can unexpectedly interrupt user work or system processes and is therefore a real safety issue.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal