ClawHub

Browser Automation Ultra

Security checks across malware telemetry and agentic risk

Overview

This skill openly enables logged-in browser automation, but it also teaches anti-detection behavior and includes examples that read private data or publish/reply on real accounts without a final safety check.

Install only if you deliberately want scripts to control a logged-in browser profile. Use a separate browser profile or test accounts, remove or ignore anti-detection guidance that could violate platform rules, and add your own confirmation/dry-run/redaction controls before reading mail, exporting comments, publishing content, or sending replies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs users to install and run Playwright scripts, execute shell commands, and use environment variables, yet it declares no permissions. That mismatch weakens informed consent and review because operators may not realize the skill can execute local code and interact with the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
Although presented as a generic browser-automation utility, the skill also advertises concrete workflows for reading mail, extracting comment data, replying to users, and publishing to social platforms. This broader operational scope increases the chance of unintended access to private data or unauthorized actions through authenticated sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly tells users to reuse an existing Chrome context with intact cookies and login state, but it does not warn that scripts will inherit full access to whatever accounts are signed in. In this context, any script bug, prompt injection in downstream tasks, or misuse could act as the user, read sensitive content, or perform destructive account actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples normalize automations that publish content, reply to comments, and read Proton Mail without clearly flagging that these are account-impacting and privacy-sensitive operations. In a skill designed for replayable automation, this omission makes dangerous actions appear routine and lowers the barrier to accidental misuse.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The skill mandates 'human-like' interaction specifically to avoid bot detection, including randomized delays, simulated browsing, and anti-detection rules. This is dangerous because it is not merely automation; it is explicit evasion of platform safeguards, enabling stealthy abuse of authenticated accounts for scraping, posting, or engagement manipulation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This document explicitly instructs operators how to avoid behavioral detection by platforms while automating browser activity. That is dangerous because it operationalizes stealth techniques for login, publishing, scraping, and form submission without any safety guardrails, policy warnings, or legitimate compliance framing, increasing the likelihood of abusive automation and account compromise workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a real publish action by clicking the final Publish button without any explicit confirmation gate, dry-run mode, or user acknowledgement immediately before submission. In this skill context, the script is designed to automate account-backed browser actions on a logged-in Behance session, so a mistaken invocation, bad selector match, or misuse could cause unintended public publication of content and reputational or operational harm.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs an actual DeviantArt submission by clicking the live `Submit` button with no interactive confirmation, dry-run mode, or final safety gate. In the context of a browser-automation skill explicitly designed to publish content using an already-authenticated session, this can cause unintended public posting, reputational damage, or accidental disclosure if the script is run with wrong inputs or on the wrong account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script performs a real Pinterest publish action automatically once required fields are populated, with no final confirmation, dry-run mode, or explicit safeguard before clicking the Publish button. In the context of a browser automation skill designed to replay actions on an already-authenticated session, that creates a meaningful risk of unintended public posting, reputational harm, or accidental publication of the wrong content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an irreversible external action by clicking the publish button immediately after filling content, with no interactive confirmation, dry-run mode, or explicit safeguard. In the context of a browser automation skill designed to automate posting workflows, this increases the risk of accidental or unauthorized publication if the script is invoked with incorrect content, on the wrong account, or in an unexpected browser session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This script accesses a live authenticated Proton Mail session and prints private email metadata and body content to stdout/JSON without any consent prompt, redaction, or warning about handling sensitive data. In agent or shared logging environments, stdout is often captured, persisted, or forwarded, so the script can easily exfiltrate confidential mailbox contents beyond the user's intended browser session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This script accesses an already-authenticated Xiaohongshu session, reads account-specific notification/comment data, and emits usernames, relationship labels, timestamps, and comment contents directly to stdout. In an agent-skill context, stdout is often captured by orchestration systems, logs, or downstream tools, so this creates a real privacy/data-exfiltration risk without any runtime consent, minimization, or disclosure to the end user.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs an irreversible user-visible action (posting a reply) immediately once invoked, without any explicit confirmation, dry-run mode, or last-moment safety check. In a browser-automation skill specifically designed to automate logged-in actions on real platforms, this increases the chance of accidental posting, unintended account activity, spam-like behavior, or misuse if the operator passes the wrong index or text.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The file explicitly states its purpose is to make browser automation appear human in order to avoid risk-control and bot-detection mechanisms. In the context of a browser automation skill that also advertises anti-detection behavior, this is not a neutral UX aid; it is functionality intended to circumvent platform security controls and trust/safety enforcement.

Ssd 2

High
Confidence
99% confidence
Finding
The text openly states that platforms use behavioral analysis to detect automation and then provides instructions to mimic human behavior to avoid that detection. This is a direct stealth/evasion enablement pattern that can be used to bypass anti-bot controls on third-party services, making downstream abuse materially easier.

Ssd 4

High
Confidence
98% confidence
Finding
The rule set provides a cumulative playbook for deception: randomized delays, human-like typing, non-teleport clicks, simulated browsing, and jittered scheduling. In the context of a browser automation skill marketed for anti-detection and bot-resistant platforms, these steps collectively increase stealth and resilience of abusive automation campaigns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal