ClawHub

AI-Search-Hub

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can copy and reuse a logged-in browser profile through Chrome debugging, so it should be reviewed before installation.

Install only if you are comfortable with a local script driving Chrome, using logged-in AI service sessions, and copying browser profile data into a persistent debug profile. Prefer a dedicated browser profile and dedicated accounts, avoid sensitive prompts, keep DevTools local, and delete the copied debug profile when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of powerful capabilities including shell execution, local file read/write, network access, environment access, and browser-profile copying, but it does not declare permissions or present those capabilities explicitly as part of a permission model. That mismatch is dangerous because an agent or user may invoke the skill without understanding that it can access local browser data and launch automation against authenticated sessions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code seeds its debug profile by copying browser state from the user's real Chromium profile, including shared files and a selected signed-in profile directory. In the context of a browser automation skill, this grants access to authenticated session material, browsing state, and potentially sensitive local data far beyond what is necessary to merely attach to an existing DevTools session, increasing the risk of account misuse or data exposure if the automation or downstream scripts misbehave.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script accepts a user-supplied --url and then navigates Playwright to that destination without constraining it to Yuanbao-owned origins. In this skill context, that broadens a site-specific automation tool into a general browser automation primitive that can drive arbitrary pages, interact with login forms, and submit prompts or data in ways outside the documented scope.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The CDP attachment logic allows the script to connect to any supplied Chrome DevTools endpoint and operate inside an already authenticated browser context. In the skill context, this is more dangerous because the tool is explicitly designed to reuse existing browser sessions and profiles, so arbitrary CDP access can expose cookies, active tabs, and privileged state well beyond Yuanbao automation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The documented `allow_implicit_invocation: true` setting increases the chance that an agent can trigger this browser automation skill without an explicit user request. In this skill's context, activation can start or attach to a Chrome DevTools session, seed a debug profile from local browser data, and send prompts to external AI sites, so unintended invocation could expose browsing context or transmit sensitive user queries to third parties.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes dispatching the same query to multiple external providers but does not warn that user prompts may be transmitted to third-party services. In a skill designed to automate multiple AI search platforms and potentially reuse logged-in browser sessions, lack of disclosure can lead to accidental sharing of sensitive or regulated data across several external domains.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic browser startup, login waiting, and execution against third-party AI sites, but does not clearly warn that prompts may be transmitted to external services and may use the user's authenticated browser session. In this skill's context, that omission is meaningful because the capability explicitly attaches to Chrome DevTools and continues after login, which can cause users or downstream agents to send sensitive data under real accounts without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description mentions seeding an isolated debug profile from the user's local browser data, but it does not give a prominent, explicit warning that sensitive cookies, tokens, history, and other session artifacts may be copied and then used by automation. In this context, that omission is especially risky because the skill is specifically designed to reuse or recover logged-in sessions for third-party AI sites via Chrome DevTools, increasing the chance of unintended authenticated actions or exposure of personal data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation with no visible trigger restrictions or scope limits, allowing it to be auto-selected in situations the user may not have explicitly intended. In this skill's context, that is especially risky because the described behavior includes browser automation, attaching to Chrome DevTools on port 9222, seeding a debug profile from local browser data, and handling login state, which could expose sensitive browsing context or cause unintended actions on third-party sites.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The script accepts an arbitrary --output path and writes browser-derived model output to that location without constraining the destination or requiring explicit confirmation at the point of write. In an agent skill context, this can modify unexpected files if a caller supplies a sensitive path, causing file clobbering or persistence of untrusted content on the local filesystem.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
At this point the runner automatically copies local browser profile data into an isolated debug profile without a prominent user-facing warning or consent checkpoint. Because this skill is specifically designed to automate logged-in chat sites, silent access to local browser state is more dangerous in context: it can inherit active sessions and sensitive artifacts the user may not realize are being duplicated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends the user-supplied question directly to third-party AI chat services (for example Qwen, Gemini, and Grok) without any in-code consent gate, warning, redaction, or data-classification check. In this skill's context, that is more dangerous than a generic browser automation script because the skill is explicitly designed to bridge local user context into external services and may be used on sensitive prompts; this creates a real risk of unintended disclosure of secrets, personal data, or proprietary information.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The code writes returned content to an arbitrary path supplied by --output, creating directories as needed and overwriting the target file without confirmation. In an agent-skill setting this is security-relevant because a caller can direct writes to unexpected locations, potentially clobbering local files, planting misleading content, or persisting sensitive model output onto disk where it may be exposed later.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal