Back to skill

Security audit

Sell Live Dataset

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local-browser automation bridge, but users should understand it can use an existing ZClaw API key to control authenticated Ziniao browser stores.

Install only if you want an agent to control Ziniao Browser through the local ZClaw bridge. Treat the ZClaw API key like a password, avoid pasting it into chats you do not trust, and remember that actions may run inside browser stores that already have active website sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically run authentication flows and session caching, including launching a browser and completing login without first obtaining clear user consent. This is dangerous because it can cause unintended credential use, persistent session creation, and side effects on the user's account or environment before the user explicitly approves those actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.