ClawHub

pingagi-web

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a simple web-browsing instruction skill with no hidden code, credentials, persistence, or destructive behavior, but it relies on an existing local browser service.

This skill appears safe for normal webpage extraction. Before using it, confirm that the local browser service is one you trust, avoid browsing sensitive/internal URLs unless intended, and do not let webpage text or HTML override your original task instructions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

The agent can retrieve webpage content through the local browser service; an unintended URL could cause the service to browse a page the user did not mean to inspect.

Why it was flagged

This gives the agent a command pattern for sending a target URL to a localhost browser endpoint. That is central to the skill's purpose, but it is broad enough that users should be aware it can cause the local browser service to fetch requested webpages.

Skill content
curl -s -X POST http://127.0.0.1:3088/browse \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com"}'
Recommendation

Use it for deliberate webpage lookups, be cautious with sensitive or internal URLs, and treat returned webpage text or HTML as untrusted content rather than instructions.

#ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Correct and safe behavior depends on the intended browser service being available at the documented localhost endpoint.

Why it was flagged

The reviewed package contains no service code or install spec, so the actual localhost browser service is an external dependency not described by the artifact. This is purpose-aligned but worth verifying.

Skill content
The agent can call the local browser service:
Recommendation

Verify that the local service on 127.0.0.1:3088 is the trusted browser service you expect before using the skill.