ClawHub

Webperf Core Web Vitals

Security checks across malware telemetry and agentic risk

Overview

This skill is a web performance debugging helper that runs page-context DevTools snippets, with no evidence of exfiltration, destructive behavior, install-time execution, or persistence beyond the active page session.

Install this if you want DevTools-based Core Web Vitals debugging. Run the snippets only on pages you trust and intend to analyze, especially avoiding sensitive logged-in, financial, internal, or personal-data pages unless you have reviewed the specific snippet and are comfortable with temporary page-context inspection and visual highlighting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description materially overstates and misrepresents behavior: it claims intelligent automated workflows and cross-skill orchestration, while the file only documents manual guidance and also omits side effects such as DOM mutation for visual highlighting. In a security-sensitive agent setting, this mismatch is dangerous because users and orchestrators may grant broader trust or invoke the skill under false assumptions about what it does, which can lead to unintended page modification, misleading analysis outcomes, or unsafe automation decisions.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Decision Tree

Use this decision tree to automatically run follow-up snippets based on results:

### After LCP.js
Confidence
81% confidence
Finding
automatically run

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal