ClawHub

WebMCP

Security checks across malware telemetry and agentic risk

Overview

WebMCP is a coherent developer integration skill, but its browser bridge exposes agent tools over cross-frame messages without origin checks, which users should review before installing or deploying.

Install only if you are prepared to harden the generated bridge before production use. Add strict origin/source validation, replace wildcard postMessage targets with trusted origins, minimize exposed status metadata, require confirmation for mutating or destructive tools, avoid routing passwords through agent tools where possible, and do not store sensitive form fields in localStorage. Pin and verify any npm package before running npx or installing globally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The bridge processes privileged postMessage commands such as tool dispatch, registration, unregistration, and status retrieval from any sender because it never validates event.origin or otherwise authenticates the message source. In a web app context, any embedded or opened frame that can message this page may invoke registered browser tools and enumerate available capabilities, which can lead to unauthorized actions, data access, or abuse of sensitive tool functionality.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment implies origin validation is optional ('if needed') even though the code immediately handles sensitive cross-frame commands without any access control. This is dangerous because it normalizes an insecure default and increases the chance developers deploy the bridge believing the current behavior is acceptable for production.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains broad phrases like "ai agent web," "agent accessible," and "tool registration" that could cause the skill to activate during normal discussion rather than only on clear user intent. Because this skill enables file reads/writes and shell access, accidental invocation increases the chance of unintended code changes or setup actions in unrelated contexts.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill documents state-changing capabilities such as addToCart, updateProfile, checkout flow, export functionality, and comment posting without clearly warning that these operations can modify user data or application state. In an agent-execution setting, this can normalize unsafe automation patterns and make it easier for an agent or developer to expose mutating actions without confirmation, authorization, or audit controls.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The bridge sends readiness, session ID, tool count, and tool names via postMessage using '*' as the target origin, which can disclose internal capability and session metadata to an untrusted parent frame. In this skill's context, tool discovery information materially helps an attacker understand what privileged actions are available and coordinate follow-on abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The clearChat tool performs a destructive action with no built-in confirmation, warning, or safeguard. In an agent-accessible web app, this increases the chance of accidental or manipulated invocation that irreversibly removes conversation history, causing data loss and disrupting user workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tool stores arbitrary form draft contents in localStorage, which persists across sessions and is readable by any script running on the same origin. If forms contain sensitive fields such as personal data, tokens, or payment-related information, this creates a client-side data exposure risk, especially in the event of XSS or shared-device use. In this skill context, the danger is elevated because the tool is generic and can be reused for many forms without restrictions on what fields may be persisted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal