ClawHub

Skylv Browser Automation Agent

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is instruction-only, but it teaches stealth anti-bot techniques and authenticated scraping without enough safety boundaries.

Use only for browser automation you are authorized to perform. Avoid using the stealth/anti-detection examples against third-party sites, isolate any sessions that use real credentials, and treat screenshots and scraped data as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly includes stealth and anti-detection logic such as modifying navigator.webdriver, spoofing browser fingerprints, and rotating User-Agent headers. In a browser automation skill, these features materially increase misuse potential by helping automated activity evade site defenses and detection rather than just enabling normal testing or scraping.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Puppeteer example repeats the same evasion behavior by disabling automation-controlled blink features and redefining navigator.webdriver. This is not necessary for ordinary browser automation and makes the skill more capable of bypassing anti-bot controls, increasing abuse potential.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples demonstrate logging in with credentials, scraping authenticated data, and writing screenshots to disk without any warnings or safety constraints. In an agent skill, this omission can lead users or downstream agents to handle secrets, personal data, and file outputs insecurely, causing privacy, compliance, or data exposure issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal