ClawHub

Token Efficient Web Operations

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed browser-automation testing skill, but it should only be used in an isolated non-sensitive browser because it can click and type on pages.

Install only if you need browser UI automation testing. Review the required Chrome extension source, use a dedicated browser profile with no saved credentials or real sessions, restrict it to test/public domains, and require confirmation before submit, save, delete, login, payment, upload, or account-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill explicitly acknowledges that sensitive fields such as password, hidden, and file inputs are not indexed but can still be written via raw DOM APIs. That undermines the earlier safety framing and enables automation of sensitive interactions on pages the skill claims should be out of scope, increasing the risk of credential stuffing, unauthorized form submission, or unsafe handling of secrets.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document contains contradictory security guidance: it says sensitive fields must not be read or modified, but later states they can still be written through native DOM operations. This inconsistency is dangerous because operators or downstream agents may rely on the stricter statement while the skill still documents a practical bypass, enabling misuse on login and other sensitive pages.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly states that password, hidden, and file inputs are not indexed, but then documents that they remain writable through native DOM APIs. This undermines the earlier safety claims and creates a practical path for the agent to interact with sensitive fields despite the stated restrictions, enabling misuse on login or upload flows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill says it must not be used on login pages or sensitive fields, but elsewhere acknowledges that password fields can still be modified through direct DOM access. That contradiction weakens operator trust boundaries and makes it easy for an agent or user to bypass the intended limitation in exactly the contexts the skill claims to forbid.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal