Security audit

Openclaw Web Browser

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed web browsing, scraping, and monitoring skill with expected local storage and optional scheduling, but users should scope it carefully.

Install only if you want a tool that can fetch web pages and store collected results locally. Use dedicated output directories, avoid sensitive logged-in pages unless local artifacts are acceptable, review target-site rules, and enable cron only for specific monitors you intend to run continuously.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: This is a real logic flaw: the code saves the current snapshot before retrieving the 'latest' snapshot, so the comparison usually reads back the just-saved snapshot instead of the prior one. As a result, real page changes can be missed and the monitor may report 'no changes' when changes actually occurred, undermining integrity of monitoring and alerting.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill description includes very broad trigger phrases such as requests for related regulations, standards, legal basis, and official documents across multiple domains, plus language saying the skill must be used for such requests. This can cause over-invocation on ordinary user queries, expanding the skill’s access to browsing and document recommendation workflows when the user may not have intended external lookup or processing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow explicitly accepts user-provided URLs and JSON, performs web verification, and checks URL validity with network requests, but it provides no safety guidance on validating destinations, restricting protocols, or handling untrusted input. In a browsing-oriented skill, this increases the risk of SSRF-like access, unintended external requests, processing of malicious files, and privacy leakage through automatic network activity.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest description includes broad trigger phrases and a mandatory instruction that this skill 'must' be used for a wide class of requests. In an agent environment, this can cause over-invocation, routing unrelated or weakly related prompts into web search and recommendation behavior, increasing the chance of unnecessary external access, irrelevant tool use, and propagation of low-confidence outputs as authoritative recommendations.

Session Persistence

Medium

Category: Rogue Agent
Content: ### cron 연동 (정기 실행) ```bash # crontab -e # 매일 오전 8시: 모든 모니터 체크 0 8 * * * cd ~/web-monitor && python3 scripts/monitor.py check-all
Confidence: 80% confidence
Finding: crontab -e

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal