ClawHub

Browser Secure

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.exposed_secret_literal

Findings (19)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernMedium Confidence
ASI02: Tool Misuse and Exploitation
What this means

On a logged-in site, an automated browser action could submit forms, change account data, post content, or make purchases before a person reviews each step.

Why it was flagged

The skill exposes broad natural-language browser actions that can run in a fully automated mode. Given the same artifact set describes authenticated/sensitive-site use and the capability signals include purchase authority, this is high-impact unless approvals and site/action limits are enforced.

Skill content
# Perform actions (fully automated)
browser-secure act "click the login button"
browser-secure extract "get the article headlines"
Recommendation

Use interactive mode for authenticated or money-related sites, require explicit approvals for form submission/purchases/destructive actions, and restrict unattended use to low-risk sites and read-only tasks.

ConcernHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

If the automation uses a personal or work Chrome profile, it may act as you on sites where you are already logged in.

Why it was flagged

Using an existing Chrome profile gives the automation access to local authenticated sessions and extensions for potentially many sites, not just one narrowly scoped credential. The behavior is disclosed, but it is broad identity/session authority.

Skill content
Browser Secure can use your existing Chrome profiles, giving you access to saved cookies, session state, and existing website logins.
Recommendation

Prefer incognito or a dedicated automation profile. Avoid using a primary personal/work profile unless necessary, and confirm the exact target site and action before granting profile access.

ConcernHigh Confidence
ASI06: Memory and Context Poisoning
What this means

Sensitive page contents from logged-in sessions may remain on disk after the browser session ends.

Why it was flagged

Captured page text, optional full HTML, and screenshots are persisted to the local scrapbook store. For authenticated browsing, these files can contain sensitive account or page data, and the provided capture code does not show a retention limit for scrapbook data.

Skill content
full_text: options.saveFullText ? content.body : undefined,
html_path: htmlPath,
...
screenshot: screenshotPath,
...
saveCapture(capture);
Recommendation

Disable full-text/HTML capture unless needed, review and purge ~/.browser-secure/scrapbook regularly, and avoid capturing pages containing secrets, financial data, or private account details.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

If enabled, browsing activity logs may leave your machine and be sent to the configured endpoint.

Why it was flagged

Audit sessions can be sent to a configured webhook when audit mode is not file-only. This is user-configured and not enabled by default in the shown config loader, but audit records may include sensitive activity metadata.

Skill content
const response = await fetch(webhookUrl, {
  method: 'POST',
  headers,
  body: JSON.stringify(session)
});
Recommendation

Keep audit mode set to local file unless you trust and control the webhook destination, and avoid putting secrets in audit details or headers.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Setup may install software or create a global command on your machine.

Why it was flagged

The onboarding flow can install external browser/vault tooling and link a global CLI. This is disclosed and purpose-aligned, but it changes the local environment and depends on external package sources.

Skill content
"autoInstall": [
  "playwright chromium browser",
  "bitwarden-cli (if brew available)",
  "1password-cli (if brew available)"
]
Recommendation

Review setup prompts, install dependencies manually if you prefer tighter control, and verify package sources before running onboarding.

Findings (19)

critical

suspicious.dangerous_exec

Location
dist/browser/daemon.js:150
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
dist/browser/secure-session.js:40
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
dist/cli.js:317
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
dist/vault/discovery.js:35
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
dist/vault/index.js:12
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
scripts/onboarding.js:40
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/browser/daemon.ts:193
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/browser/secure-session.ts:66
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/cli.ts:372
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/vault/discovery.ts:71
Finding
Shell command execution detected (child_process).
critical

suspicious.dangerous_exec

Location
src/vault/index.ts:30
Finding
Shell command execution detected (child_process).
critical

suspicious.dynamic_code_execution

Location
dist/browser/secure-session.js:632
Finding
Dynamic code execution detected.
critical

suspicious.dynamic_code_execution

Location
src/browser/secure-session.ts:747
Finding
Dynamic code execution detected.
critical

suspicious.exposed_secret_literal

Location
dist/research/site-profiler.js:29
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
dist/vault/discovery.js:229
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
dist/vault/index.js:47
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
src/research/site-profiler.ts:55
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
src/vault/discovery.ts:308
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
src/vault/index.ts:66
Finding
File appears to expose a hardcoded API secret or token.