ClawHub

ManoBrowser

Security checks across malware telemetry and agentic risk

Overview

ManoBrowser is a disclosed browser automation skill, but it needs Review because it can control logged-in Chrome sessions, use cookies, collect sensitive page data, and persist detailed workflow artifacts with uneven consent and redaction safeguards.

Install only if you are comfortable letting this skill operate your logged-in Chrome through a remote MCP connection. Avoid banking, healthcare, email, admin consoles, and other highly sensitive accounts; review every generated workflow before reuse; require a final manual confirmation before uploads, submits, or publishes; and delete temporary cookie files and workflow logs after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The skill says direct API calling is not an applicable use case while elsewhere exposing fetch_api/fetch_api_batch and explicitly promoting API reverse engineering. Contradictory guidance can mislead reviewers and users about network reach, reducing scrutiny over outbound requests and authenticated data access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly provides a page-protection mechanism that blocks the user's own interaction with their browser tab during automation. In a skill whose metadata emphasizes operating the user's real logged-in browser, this materially increases risk because it can temporarily remove user control while actions occur in authenticated sessions, enabling covert or hard-to-interrupt activity.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The skill documents direct HTTP/API requests that can include browser cookies, extending capability beyond ordinary tab automation into authenticated background data access. That broadens the attack surface because it allows extraction or transmission of session-backed data without the normal visibility and friction of interacting through the page UI.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes arbitrary JavaScript execution and persistent script injection, including MAIN-world execution that can access page variables and modify page behavior. In the context of a browser skill operating on real logged-in sites, this can be used to tamper with workflows, extract sensitive data, bypass intended UI constraints, or persist logic beyond a single action.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file explicitly requires logging the agent's detailed reasoning, tool parameters, outputs, and user input. Capturing internal reasoning and broad execution context exceeds the stated browser-automation purpose and can expose sensitive decision-making traces, secrets, or login-protected data encountered during browsing. In this skill's context—operating a real logged-in browser—this is more dangerous because the logs may include highly sensitive authenticated content.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The workflow instructs scanning all available skills in the environment, which is outside the narrow purpose of browser task execution and logging. Enumerating environment capabilities increases the attack surface, may reveal sensitive internal tooling, and enables unintended cross-skill data access or capability chaining. In a browser skill with access to authenticated sessions, this broadening of scope is unjustified and risky.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file directs execution of a local Python validation script, introducing local code execution beyond the declared browser-automation purpose. Even if intended for validation, invoking local scripts creates a pathway for unintended command execution, environment interaction, and abuse if paths or script contents are modified. This is especially concerning in an agent skill because it normalizes stepping outside the browser boundary into host-side execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The checklist explicitly instructs extraction of document.cookie from the user's real logged-in browser session, which exposes session tokens and other authentication material. In the context of a browser-operating skill designed to access login-protected data, this is highly sensitive and can enable account takeover, replay of authenticated requests, and unauthorized access beyond the immediate task.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checklist directs use of network debugging and packet capture to collect full request and response bodies, but provides no safeguards for sensitive headers, tokens, personal data, or confidential business data that may be present. In this skill's context of reverse-engineering authenticated APIs behind login walls, such capture materially increases the risk of credential leakage and mass data exposure.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are extremely broad and include common language such as logging in, scraping, automating, and any browser interaction request. This creates a genuine risk of over-invocation, causing the skill to activate in situations where the user did not intend powerful browser control over authenticated sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that network requests may be sent with browser cookies but does not clearly warn that this can transmit privacy-sensitive authenticated data. In this skill context, cookie-backed requests can access account-specific content and APIs, so missing disclosure increases the chance of unsafe or uninformed use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The page-protection feature is described as blocking all user interactions, but the documentation does not foreground the practical effect that the user may temporarily lose control of their tab. In a real-browser automation skill, this omission is dangerous because it reduces the user's ability to notice, interrupt, or correct unintended authenticated actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions state that after generating workflow.json, the system will automatically proceed to execute CREATOR.md to generate a Skill once the user confirms, but the overall module also mandates automatic file creation and staged execution with little emphasis on change warnings or a clear consent checkpoint before the next system-modifying phase. In a browser-automation skill that can operate in a logged-in Chrome context, implicit continuation into artifact generation increases the risk of users authorizing broader actions than they intended.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill mandates detailed logging of user input, tool parameters, outputs, and reasoning, but does not provide a clear upfront privacy notice or obtain informed consent for storing that sensitive data. In this context, the browser may access personal accounts, private messages, business dashboards, or other login-protected content, so the resulting logs can become a concentrated repository of sensitive information. The combination of deep logging and no explicit warning materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The module states that after user confirmation it will automatically continue to later phases and save logs, but it does not give an upfront warning that local files will be created and additional stages may run automatically. This undermines informed user consent and may surprise users with persistent storage and further processing of sensitive browser-derived data. In a logged-in browser automation skill, silent persistence and auto-progression are particularly risky.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The mode-1 trigger conditions are overly broad (e.g. generic phrases like 'help me do...' or 'automate...'), which can cause the skill to activate on ordinary browsing requests and escalate them into real browser execution and skill creation. In this skill's context, that is more dangerous because it operates the user's logged-in Chrome and can perform authenticated actions, so accidental invocation can lead to unintended account actions or data extraction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly records tool calls, reasoning, errors, and structured execution logs, but it does not warn that these artifacts may capture highly sensitive information such as session-derived data, personal content, account identifiers, or form inputs from authenticated sites. Because this skill works inside the user's real logged-in browser, the logging feature materially increases the risk of storing and reusing secrets or private data beyond the immediate task.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document requires actual execution of browser steps for validation and states that generated skills may be automatically published to a server if a publishing tool exists, yet it does not provide explicit risk disclosure or opt-in for authenticated actions and remote publication. In this context, that is especially dangerous because the skill can act through real user sessions and convert those actions into reusable artifacts that may be distributed or persisted without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs a real external-side effect by clicking the publish button and explicitly states that the note is published after that step, but it does not require an explicit user confirmation immediately before execution. In a browser-automation skill operating on the user's logged-in account, this creates a meaningful risk of unintended public posting, reputational harm, spam, or accidental disclosure if the parameters are wrong or the workflow is triggered prematurely.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow culminates in an unconditional click on the publish button in the user's real logged-in browser, with no explicit confirmation, preview, or user-approval checkpoint in the manifest. In the context of a browser automation skill operating on authenticated sessions, this is especially dangerous because it can cause unintended public posting, reputational harm, policy violations, or account misuse with a single triggered run.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The rules explicitly instruct collecting user information, article content, statistics, and other page data from the user's logged-in browser, but provide no consent gate, data minimization requirement, or sensitive-data handling restrictions. In the context of this skill—whose stated purpose is extracting data behind login walls—this omission materially increases the risk of unauthorized scraping of private or account-scoped information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples normalize file upload and content publishing workflows without warning that these actions can change external systems, post on behalf of the user, or expose local files. In a browser automation skill operating with the user's real authenticated session, missing guardrails around destructive or externally visible actions creates meaningful risk of accidental posting, unwanted uploads, or manipulation of third-party accounts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs use of `fetch_api` with `includeCookies: true` against discovered endpoints on logged-in platforms, enabling authenticated requests using the user's browser session. In the context of a browser-control skill whose stated purpose includes extracting data behind login walls and reverse-engineering private APIs, this can access and exfiltrate sensitive account data without any explicit user warning, consent checkpoint, scope limitation, or data-minimization control.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises very broad trigger phrases such as extracting 'any visible structured content' and examples that overlap with common user browsing requests. In the context of ManoBrowser, which operates a real logged-in browser and can access content behind login walls, overbroad invocation criteria increase the chance of unintended data extraction from sensitive pages without a clearly scoped user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to execute JavaScript in the page's MAIN world and collect comprehensive DOM content, including text, links, images, Shadow DOM content, and context from the user's active Chrome session, but it does not prominently warn the user about script execution or the scope of page data collection. In a logged-in browser environment, this omission is dangerous because users may not realize the skill can extract sensitive information visible only within authenticated sessions.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal