ClawHub

Browser Secure

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent with secure browser automation, but it handles credentials and authenticated page content with approval and retention weaknesses that need review before installation.

Install only on a trusted, single-user machine and use a dedicated automation Chrome profile and narrowly scoped vault items. Avoid storing master passwords in .env, avoid --yes and --skip-approval for sensitive sites, disable raw HTML/full-text capture unless needed, and regularly clear ~/.browser-secure scrapbook, logs, cache, and daemon state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (31)

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The README presents the tool as a narrowly scoped, human-guided capture utility, but later documents legacy `act` and daemon capabilities that materially broaden it into general browser automation. This mismatch can cause operators or downstream agents to over-trust the tool's safety boundaries and invoke capabilities that reach beyond the claimed gated-content use case.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security model claims approval gates at every step, but `--yes` explicitly disables those human approvals. In a security-sensitive browser automation tool, this creates a direct path to unattended access, extraction, and recording, undermining the core safeguard the README emphasizes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The CLI exposes substantial site profiling, capture, and scrapbook/export functionality that goes well beyond the declared purpose of secure browser automation. This materially expands the skill from browser control into content collection and local knowledge-base building, increasing the risk of unauthorized data harvesting, retention of sensitive page contents, and user surprise about what the tool can do.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The init/capture workflow builds a generalized content-harvesting pipeline: it analyzes sites, detects login/search patterns, extracts sample content, and records reusable playbooks for future capture. In a tool advertised as secure browser automation, this hidden capability is dangerous because it enables scalable collection of web content, potentially including authenticated or proprietary data, under the cover of a narrower stated purpose.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code presents a 2FA-protected approval flow and logs that verification completed, but it only validates that the input is 6-8 digits. Any attacker or misbehaving automation can supply an arbitrary numeric string and bypass the intended second-factor control for destructive actions, turning a security gate into a cosmetic check.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The manifest explicitly supports access to high-value vault credentials including Bitwarden and 1Password tokens, while the package description understates the tool as a browser capture utility. In a browser automation skill, this materially increases risk because the skill may obtain secrets that could be abused for credential theft, lateral movement, or unauthorized secret retrieval if other controls fail.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The CLI adds substantial site profiling, content capture, and scrapbook export capabilities that go beyond the declared secure-browser-automation scope. This expands the tool into persistent web scraping and data collection, increasing risk of unauthorized capture of sensitive/authenticated content and making operator trust assumptions inaccurate.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The config command executes whatever program is named in the EDITOR environment variable via spawn. An attacker who can influence the environment can cause arbitrary local code execution when a user runs `browser-secure config --edit`, and the skill provides no validation or warning.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code behavior contradicts the documented security model: despite comments claiming interactive mode requires an explicit flag, the function still prompts by default whenever unattended and auto-approve are not set. In a security-sensitive approval system, misleading operator expectations can cause workflows to run in contexts that were assumed to be non-interactive, leading to accidental approval gating bypass assumptions, hangs, or unsafe deployment patterns.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code claims 2FA verification is completed, but it only validates that the input is 6-8 digits and then approves the destructive action. This effectively nullifies the 2FA control, because any attacker or misbehaving caller can supply an arbitrary numeric string and obtain approval for actions explicitly marked as destructive.

Vague Triggers

Medium
Confidence
79% confidence
Finding
A freeform natural-language `act` command is an overly broad interface for a browser automation skill, especially when paired with sensitive authenticated browsing. Broad triggers and unconstrained instructions increase the risk of unsafe or unintended actions, including navigation, data extraction, or interactions outside the documented secure workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises an auto-approved mode that can store full text and raw HTML without a strong, nearby warning about privacy, retention, and legal/compliance consequences. Because this tool targets gated and authenticated content, bulk recording without clear warning increases the chance of capturing sensitive, licensed, or personal data inadvertently.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The config command executes the program referenced by the EDITOR environment variable without validation or a user-facing warning. Because environment variables are attacker-influenced in many execution contexts, this can lead to arbitrary command execution when a user invokes the seemingly benign config editor path.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function persistently stores page screenshots and, optionally, full HTML under the user's home directory, which can capture sensitive page contents such as account data, internal documents, tokens rendered in the DOM, or regulated information. In a browser automation skill explicitly designed for authenticated and sensitive operations, saving these artifacts without an explicit consent/check at this point materially increases the risk of local data exposure and over-collection.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The capture metadata records whether credentials were used and ties that fact to a specific URL, site, timestamp, and stored artifacts, creating a sensitive activity log. Even though it does not store the credentials themselves, this metadata can reveal authentication state and user behavior, which becomes more sensitive in a tool intended for authenticated browsing and compliance-related capture.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code automatically stores page screenshots in a persistent directory under the user's home folder, which can capture sensitive information such as authenticated sessions, account data, internal pages, or personal content. In the context of a 'browser-secure' skill intended for sensitive and authenticated browsing, silent persistent retention materially increases privacy and data exposure risk if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The logger persists potentially sensitive runtime data to a plaintext file in the user's home directory, including stack traces, session IDs, command-line arguments, URLs, and arbitrary context. In this skill's security-sensitive browser automation context, those fields can easily contain credentials, auth tokens, internal URLs, or other secrets, and the code provides no redaction, consent, or file-permission hardening for the log file itself.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manual password prompt uses a standard readline question, which echoes the password in cleartext to the terminal as the user types. In a skill explicitly designed for secure browser automation and sensitive operations, this increases the risk of shoulder-surfing, terminal logging/history capture, screen recording leakage, and inadvertent disclosure in shared or audited environments.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The EnvironmentVault silently reads site credentials from process environment variables based solely on the requested site name, with no approval gate, disclosure, or validation of whether env-based secret access is intended. In a browser automation skill advertised as 'secure' and suitable for sensitive operations, this fallback can cause unintended credential use or broaden the attack surface if an upstream caller can influence the site parameter or process environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The setup flow explicitly enables auto-installation of multiple dependencies, including package-manager driven installs, without describing strong trigger constraints, trust validation, or user confirmation boundaries in this file. In a security-sensitive browser automation skill, broad installation behavior increases supply-chain and unexpected system-modification risk, especially if setup is run in privileged or developer environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructions tell the user to export a Bitwarden session token directly into the shell environment but do not warn that this token is sensitive and may be exposed through shell history, process environments, logs, or downstream commands. For a skill handling authenticated browsing and vault integration, normalizing unsafe credential handling raises the chance of credential leakage and account compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool launches the program from EDITOR without telling the user which executable will run. In a security-sensitive skill, silent execution of an environment-controlled local program increases the chance of unintended code execution and social-engineering abuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When saveHtml is enabled, the workflow writes the full DOM of the current page to a predictable local scrapbook directory under the user's home folder. In a security-focused browser automation skill that may operate on authenticated or sensitive sites, this can persist secrets, PII, tokens, and internal content to disk without any enforcement in this function of consent, redaction, encryption, or sensitivity checks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function always saves a screenshot of the page to disk, which may capture account data, private documents, session-specific information, or other sensitive visual content. Because this skill is explicitly designed for authenticated browsing and sensitive operations, unconditional screenshot persistence materially increases the risk of local data exposure and unintended retention.

Missing User Warnings

High
Confidence
78% confidence
Finding
This function stores captured page content, excerpts, full text, URLs, referrers, selectors, screenshots, and approval metadata to persistent local files. In the context of a 'browser-secure' skill intended for authenticated and sensitive browsing, that creates a meaningful confidentiality risk because sensitive corporate, personal, or regulated content may be retained on disk longer than expected and later exposed through local compromise, backups, or shared workstation access.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal