ClawHub

Browserless Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it gives an agent broad control over websites, browser session data, and local output files without enough built-in scoping or consent guidance.

Install only if you want to grant the agent broad browser-control authority. Prefer a dedicated or self-hosted Browserless instance for sensitive work, keep BROWSERLESS_TOKEN in secure secret storage, use wss:// for remote services, and require explicit confirmation before uploads, submissions, cookie/localStorage reads, custom auth headers, screenshots/PDFs of private pages, or arbitrary JavaScript evaluation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security notes claim credentials are never logged or exposed in responses, but the documented API can directly read cookies, localStorage, page content, and arbitrary JavaScript results, all of which may contain secrets. This creates a misleading security assurance that could cause users to expose sensitive session data to the skill or the remote Browserless backend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The changelog and usage guidance promote powerful browser automation capabilities such as form filling, clicking, scraping, and navigation, but they do not clearly warn that these actions can affect third-party websites, submit data, trigger side effects, or require authorization. In an agent skill context, this omission is security-relevant because it normalizes active interaction with arbitrary sites and may encourage unsafe deployment or use without consent boundaries.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The guide explicitly recommends placing a live authentication token in a plaintext `.env` file, but does not warn that such files are readable by local users/processes, can be accidentally committed, and should have restricted permissions. While this is common developer practice, documenting it without caveats can increase the chance of secret leakage, especially in shared workstations or poorly secured repositories.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README encourages automatic use of powerful browser automation from vague user prompts like taking screenshots or filling forms, without stating consent, domain restrictions, or confirmation requirements. In an agent setting, this can lead to unintended navigation, authenticated actions, or interaction with sensitive pages based on underspecified requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes sensitive capabilities including file upload, cookie/storage manipulation, custom headers, JavaScript evaluation, screenshots, PDFs, and form automation, but the safety guidance is minimal and not prominent where these features are introduced. Users or downstream agents may treat these actions as routine, increasing the risk of privacy violations, credential misuse, or unintended actions on third-party sites.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill advertises file-writing and state-changing actions such as screenshot/PDF path output, uploads, cookie/storage mutation, and browser-state changes without warning users about persistence or side effects. In an agent setting, that can lead to unintended local file creation, stateful website actions, or altered session behavior without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents network scraping and extraction features but does not warn that browsing data, page contents, credentials-in-context, and automation steps may be transmitted to a configured third-party or self-hosted Browserless service. This omission increases privacy and data-handling risk, especially when the backend is remote and receives full browsing context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal