ClawHub

tappi

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill appears functional, but it exposes powerful page-script execution and local-file-to-website paths without enough scoping or user consent controls.

Install only if you need advanced browser automation and are comfortable supervising it closely. Do not let it operate on banking, admin, payment, OAuth, email, or other sensitive signed-in pages unless you explicitly approve each action, and avoid using paste --file or upload with secrets, credentials, private keys, or confidential documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest frames this as lightweight browser control, but the implementation exposes `eval <js>`, which allows arbitrary JavaScript execution in the context of any page the agent is visiting. In a signed-in browser session, this can read page data, manipulate workflows, trigger actions, and exfiltrate sensitive in-page content well beyond ordinary navigation/click automation.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description does not disclose coordinate-based controls, yet the code adds `click-xy`, `hover-xy`, `drag-xy`, and `iframe-rect`, explicitly positioned for cross-origin iframes and captchas. These primitives can bypass safer DOM-based interaction boundaries and enable opaque interactions with embedded content the agent cannot semantically inspect, increasing risk of misuse and deceptive automation.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
`paste --file` reads arbitrary local files from disk and inserts their contents into the current browser page, but this capability is not described in the skill metadata. In an agent setting, this creates a direct local-file-to-web exfiltration path, especially dangerous because signed-in browser sessions may already be connected to external services ready to receive pasted secrets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes direct local file upload to arbitrary websites but does not warn that this transmits local files off the machine to remote services. In an agent context, that omission increases the risk of accidental exfiltration of sensitive documents, images, or credentials through a signed-in browser session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guidance explicitly describes coordinate-based interaction with captchas, payment forms, and OAuth widgets, but it lacks warnings about sensitive, irreversible, or high-trust actions. In practice, this can enable accidental approval of payments, account linking, login consent, or anti-bot checkpoints without adequate verification.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The upload command transfers a local file into a live browser page without any explicit warning, confirmation, or policy check. In the context of an agent operating a signed-in browser, this can silently disclose private local files to remote services, making the absence of user-facing consent a meaningful security issue rather than a mere UX gap.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Arbitrary JavaScript evaluation in page context is a dangerous capability on its own, and exposing it without any warning or consent makes accidental or unauthorized destructive actions more likely. Because this skill operates against an existing signed-in browser, `eval` can inspect DOM state, extract tokens or sensitive content visible to the page, submit forms, or alter application state invisibly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal