Browser Download

Security checks across malware telemetry and agentic risk

Overview

This is a narrow browser-download helper; it can save requested web files locally, so users should treat downloads as untrusted, but no hidden or malicious behavior was found.

Install this only if you want OpenClaw/ADA to help download files from webpages. Use it on sites and files you intentionally choose, check the destination filename before saving, avoid overwriting existing files unless intended, and inspect or scan downloaded files before opening or executing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs saving downloaded content from arbitrary webpages directly to a local filesystem path, but provides no guidance on validating file provenance, preventing overwrite, or handling untrusted content safely. In an agent context, this increases the risk of clobbering existing files, storing malicious payloads, or enabling later unsafe processing of attacker-controlled files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal