ClawHub

Predicate Snapshot

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed browser snapshot and action helper, but users should understand that API-backed snapshots and demos can send page-derived content to external services.

Install only if you are comfortable giving the skill access to the active browser page and letting it click, type, or scroll when invoked. Use predicate-snapshot-local for sensitive pages, avoid running API-backed snapshots or LLM demos on private/account pages unless you accept external processing, and keep API keys out of shared files and version control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a DOM-pruning/snapshot optimization tool, but the documentation also exposes active browser control via `/predicate-act`. This mismatch can cause users or policy systems to grant trust appropriate for a passive read-only skill while the skill can perform state-changing actions such as clicking, typing, and workflow automation on live sites.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation claims DOM pruning as the skill's purpose, but it also documents `/predicate-act`, which can click, type, and scroll on behalf of the agent. That creates a security-significant gap between user expectations and actual behavior, increasing the risk of unintended transactions, form submission, or navigation when the skill is treated as read-only.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file materially exceeds the declared skill scope of DOM pruning by implementing end-to-end browser automation for login, navigation, and profile extraction. Scope mismatch is dangerous because users or host systems may grant capabilities based on the published description while the code performs materially broader actions, including interaction with external sites and account workflows.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code initializes remote LLM providers using environment API keys and sends page-derived snapshots and accessibility-tree content to those providers for decision-making. That creates a real data exfiltration path: sensitive page content from login or profile pages can be transmitted to third-party services, which is not justified by the stated DOM-pruning functionality and may violate least-privilege and data-handling expectations.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata says it is for DOM pruning and snapshot compression, but this file exposes active browser-manipulation primitives (`click`, `type`, `scroll`). That scope expansion creates a capability gap where a caller expecting a read-oriented snapshot tool can instead trigger state-changing actions in the browser, increasing the risk of unintended form submission, navigation, or data modification.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code directly invokes Playwright page actions (`click`, `fill`, `evaluate`) even though the surrounding skill is described as a DOM-pruning/snapshot utility. In agent environments, undocumented page-manipulation capability is dangerous because it can be abused to alter application state, enter attacker-chosen data, or drive workflows the user did not intend this skill to perform.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata and descriptions present this package as a DOM snapshotting/pruning capability, but the exported MCP toolset also exposes `predicate-act`, which can click, type, and scroll on page elements. This is a capability mismatch that can mislead reviewers or users into granting browser automation privileges to a skill they believe is read-only, increasing the risk of unauthorized page interactions, form submission, or data entry.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module header states the server provides ML-powered DOM snapshots, but the file imports and registers `PredicateActTool`, which performs browser actions. Even if the action set is limited, understating capabilities creates a security transparency issue that can cause operators and agent frameworks to treat a write-capable tool as observational only.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The top-level comments frame the server as providing DOM snapshots for browser automation, but the implementation also supports direct action execution on page elements. In an agent skill context, hidden or under-documented actuation is more dangerous because agents may be allowed to invoke tools based on their declared purpose, leading to unintended state changes on websites.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs users to place live API keys in a plaintext `.env` file but does not warn them to exclude that file from version control, restrict file permissions, or use a secrets manager. This creates a realistic path to credential leakage through accidental git commits, shared workspaces, backups, or local compromise, especially because the same section shows copy-pasteable examples with real secret formats.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises ML-powered ranking via an API key, which strongly implies page snapshot data may be transmitted to an external service, yet the documentation does not warn users that browser content could leave the local environment. Browser snapshots can contain sensitive page text, links, identifiers, and possibly user data, so undisclosed remote processing creates a meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code serializes page-derived content from the accessibility tree or predicate snapshot into a prompt and sends it to whichever external LLM provider is configured. That can disclose page contents, potentially including sensitive or proprietary information, without any explicit user warning, redaction, allowlist, or consent flow in the demo code.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells users to persist API keys in shell startup files and a plaintext config file, but does not warn that these locations can be exposed through shell history, backups, dotfile sync, local file disclosure, or accidental commits. In a skill that integrates with external services, normalized insecure secret storage increases the chance of credential leakage and unauthorized API use.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The guide publishes working demo credentials without clearly and immediately stating that they are only for the intentionally insecure test site. This can normalize unsafe credential handling practices and may cause users to reuse or test similar credentials elsewhere, though the direct security impact is limited if the credentials are truly confined to the demo environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
State-changing browser actions are executed immediately from supplied parameters without any user-facing warning, confirmation, or transaction-safety guard. This makes prompt-influenced or mistaken tool calls capable of clicking controls, typing into forms, or scrolling to manipulated elements without a meaningful chance to detect or stop unsafe actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script captures browser snapshots from a live login page and stores them in shell variables without any warning, redaction, or guardrails. Login pages can contain sensitive UI text, prefilled identifiers, session-specific content, or other private page state, so this test may inadvertently collect and expose sensitive data in logs, terminals, CI output, or downstream processing.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The integration test automatically launches a real browser against a public login page and exercises snapshot/tool behavior without any explicit warning, consent gate, or safe test fixture. Even though it does not submit credentials here, capturing and processing live page state can pull in third-party content, dynamic identifiers, or sensitive UI data and normalizes testing against production-like targets.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When PREDICATE_API_KEY is present, the test invokes the ML-powered snapshot path without a clear warning that page content may be transmitted to an external API. In this skill context, snapshots of DOM content from a live login page could include sensitive page text, form labels, CSRF tokens, or other context that should not be sent off-box implicitly.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal