ClawHub

auto-browser

Security checks across malware telemetry and agentic risk

Overview

This skill is a real browser-automation helper, but it gives an agent broad control of Chrome and can start/configure that control without enough user consent.

Review carefully before installing. Use a dedicated automation-only Chrome profile, avoid sensitive logged-in accounts, pin and review the MCP package instead of using @latest, require explicit consent before starting CDP or making account changes, and stop the debug Chrome process when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill goes beyond using the declared browser automation toolset by instructing the agent to probe a local debugging endpoint and launch Chrome through shell commands. This expands the agent's capabilities into local process execution and system modification, increasing risk of unauthorized browser startup, exposure of a CDP endpoint, and interaction with local user state outside the intended tool boundary.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill claims all browser actions must use the user-playwright-cdp toolset, but elsewhere instructs the agent to use shell commands to check and start Chrome. This inconsistency weakens safety boundaries by normalizing tool bypass and making it easier for the agent to perform actions outside the reviewed browser-automation interface.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger phrases are broad and map to common conversational requests like opening a browser, clicking, filling forms, scraping, or taking screenshots. That makes accidental invocation more likely, which is especially risky here because the skill can access a real browser session and perform actions on authenticated sites.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly instructs automatic startup of Chrome with remote debugging enabled and says to do so without asking the user. Enabling a CDP endpoint and creating a new profile without consent can expose browser control surfaces, alter the local environment, and surprise users with a powerful automation context they did not approve.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal