ClawHub

Browser Harness

Security checks across malware telemetry and agentic risk

Overview

This skill is openly designed to let an agent control a real logged-in Chrome browser, but that high-impact access needs careful review before installation.

Install only if you deliberately want an agent to operate a real logged-in Chrome session. Use a separate Chrome profile, prefer BH_PUBLIC_ONLY=1 for routine browsing, avoid BH_ALLOW_SENSITIVE and BH_RAW_OK unless you personally approve the exact action, review write/upload commands before they run, keep sensitive data out of screenshots and domain-skills, and stop the daemon when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes high-risk shell-capable operations (`scripts/run.sh ...`) while declaring no required permissions, which can mislead users or policy layers about the actual execution capability. In this specific skill, those shell commands can attach to a real logged-in Chrome session and drive browser actions on behalf of the user, so undeclared capability materially increases the chance of unsafe deployment or insufficient review.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document claims the skill relies on precisely pinned upstream dependencies, yet later instructs users to upgrade to `@latest`. That undermines reproducibility and trust in the reviewed version, and could silently introduce unreviewed code or behavior changes into a high-risk browser-control tool.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These examples demonstrate state-changing actions on real logged-in services, including starring a GitHub repo, creating a CRM customer, and uploading a file, but they do not prominently warn that the commands operate against the user's live session and can cause real external side effects. In a browser-harness context that explicitly reuses authenticated Chrome state, omission of side-effect warnings increases the risk of accidental unauthorized changes to third-party or internal systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The read examples target logged-in services and show exporting page contents to stdout or local files, such as dumping Feishu document text to doc.txt and reading e-commerce/account-linked data, without warning that sensitive user or enterprise data may be copied outside the browser boundary. Because this skill is designed to access the user's real authenticated session, even read-only examples can facilitate unintended data exfiltration into agent logs, terminals, or workspace files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation explicitly promotes controlling a real, logged-in Chrome instance with shared cookies/session state, which can lead an agent to perform actions on behalf of the user across sensitive accounts. Although the file contains some scattered safety notes elsewhere, the flagged section lacks a clear, prominent warning at the point where these capabilities are explained, increasing the risk of privacy violations, unintended account actions, and session abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions tell users to enable Chrome remote debugging and attach to a real logged-in tab, but they do not clearly warn that this grants the tool access to page content, cookies-backed sessions, and the ability to act as the user in that browser context. In a skill explicitly designed to control a real authenticated browser, omission of a strong warning materially increases the chance of unsafe deployment or misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal