ClawHub
Back to skill

Security audit

kosmi dj

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it needs review because it automates an authenticated browser session and uses under-scoped local configuration and persistence controls.

Install only if you are comfortable letting an automated browser control a Kosmi room. Use a dedicated Kosmi account, verify the room URL is really a Kosmi URL before storing credentials, protect and audit the .env file, prefer encrypted or disposable browser sessions, and stop the DJ loop when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script sources a plugin-wide .env file into the current shell, importing every variable and any shell syntax contained in that file. For a simple browser-automation task, this is broader than necessary and creates risk of unintended secret exposure or code execution if the .env contents are modified or not strictly data-only.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes launching a long-running background DJ loop and managing it via a PID file, but it does not clearly warn the user that an autonomous process may continue running after the immediate interaction ends. That can lead to unintended ongoing browser automation, continued media playback, resource consumption, and loss of user control or awareness.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs use of stored room credentials in a .env file and persistent browser sessions, but does not provide a clear privacy/security warning about credential handling, session retention, or the risks of shared environments. This increases the chance of accidental credential exposure, unauthorized reuse of authenticated sessions, or unexpected persistence of access to private Kosmi rooms.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly recommends persistent browser sessions that retain cookies, localStorage, and sessionStorage on disk, which can preserve authentication tokens and other sensitive data across runs. In a browser-automation skill, this increases exposure if the host is shared, the profile directory is accessible, or session data is reused without the user's clear awareness and consent.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The form-submission example includes filling a password field with a literal secret but provides no warning about credential handling, logging, shell history, or safe input practices. In an agent-browser automation context, this can normalize insecure credential entry and lead operators to pass real passwords through scripts, terminals, or logs where they may be exposed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sources a repository-local .env file as shell code using `source "$ENV_FILE"`, which executes arbitrary commands contained in that file, not just variable assignments. If an attacker can modify the repo, working tree, or .env contents, they can achieve code execution when the skill runs; in this automation context, that code may also inherit browser/session credentials and control over the user's Kosmi session.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This debug script prints the full accessibility snapshot, including visible element names and labels from the active browser page, directly to stdout. In a Kosmi/browser-automation context, those labels can include room names, usernames, chat snippets, video titles, or other sensitive on-page data, so the script creates an information disclosure risk if run in shared terminals, logs, or CI output.

Credential Access

High
Category
Privilege Escalation
Content
PLUGIN_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"

# ---------------------------------------------------------------------------
# Load .env
# ---------------------------------------------------------------------------
ENV_FILE="${PLUGIN_ROOT}/.env"
if [[ -f "$ENV_FILE" ]]; then
Confidence
79% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# ---------------------------------------------------------------------------
# Load .env
# ---------------------------------------------------------------------------
ENV_FILE="${PLUGIN_ROOT}/.env"
if [[ -f "$ENV_FILE" ]]; then
  set -a
  # shellcheck disable=SC1090
Confidence
98% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# ---------------------------------------------------------------------------
# Load .env
# ---------------------------------------------------------------------------
ENV_FILE="${PLUGIN_ROOT}/.env"
if [[ -f "$ENV_FILE" ]]; then
  set -a
  # shellcheck disable=SC1090
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
PLUGIN_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"

# ---------------------------------------------------------------------------
# Load .env
# ---------------------------------------------------------------------------
ENV_FILE="${PLUGIN_ROOT}/.env"
if [[ -f "$ENV_FILE" ]]; then
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# ---------------------------------------------------------------------------
# Load .env
# ---------------------------------------------------------------------------
ENV_FILE="${PLUGIN_ROOT}/.env"
if [[ -f "$ENV_FILE" ]]; then
  set -a
  # shellcheck disable=SC1090
Confidence
95% confidence
Finding
.env"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal