ClawHub

Agent Browser (projectamazonph)

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill also includes unrelated self-improvement hooks that can persistently inject reminders across prompts, so it should be reviewed before installation.

Install only if you understand that this bundle is not just an Agent Browser guide. Review or remove the self-improvement hook files before use, avoid global hook activation unless you explicitly want it across all projects, prefer project-local scoped matchers, and keep any saved browser auth-state files private and out of source control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly documents saving and loading browser auth state, cookies, and storage, but provides no warning that these artifacts can contain bearer sessions, CSRF tokens, or other sensitive data that enable account reuse and lateral access if copied or mishandled. In a browser automation skill, this omission is security-relevant because users may normalize persisting and reusing live authenticated state without applying access controls, expiration, or redaction.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example config uses an empty matcher for UserPromptSubmit, which causes the hook to run on every prompt rather than on a constrained subset of actions. In this skill context, that creates unnecessarily broad prompt-time execution of a local script and increases privacy, reliability, and abuse risk if the script path is replaced or modified later.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The guide recommends user-level global activation in ~/.claude/settings.json without meaningful scope restriction, so the hook can affect all future sessions and repositories. Persistent, cross-project hook execution expands blast radius and can expose unrelated prompts or workflows to the script output mechanism.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Codex CLI example also leaves the matcher empty, making activation unconditional for every prompt event. Even if the script only emits text, broad automatic invocation creates unnecessary exposure and normalizes always-on hook behavior that could be abused if the script changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal