ClawHub
Back to skill

Security audit

Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This is a coherent browser automation skill, but it can handle logged-in sessions, captured pages, and saved authentication state, so it should be used deliberately.

Install only if you need browser automation and trust the local agent-browser executable. Avoid using it on sensitive logged-in accounts unless necessary, confirm before actions that change data or upload files, treat saved state files and recordings as secrets, keep them out of repositories, and delete them when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad enough to trigger on many generic browsing or information-gathering requests, which can cause an agent to invoke a powerful browser automation capability unnecessarily. In this skill, that increases exposure because the tool can navigate arbitrary URLs, access local/file/data contexts, manipulate sessions, and interact with sensitive web content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to handle usernames, passwords, and saved authenticated state files without warning that these artifacts may contain reusable secrets or session tokens. If copied, logged, or stored insecurely, an attacker could replay the session or harvest credentials to access protected accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises screenshots, recording, cookie/storage access, request inspection, and proxying without privacy or authorization guardrails. In combination, these features can capture personal data, session identifiers, internal traffic, or restricted content from users' browsing sessions or target applications.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples explicitly save authenticated browser state to a local JSON file, which commonly contains reusable session cookies or tokens. Although a best-practices section later warns not to commit state files, the example itself normalizes persistence of sensitive authentication material without immediate safeguards such as restricted file permissions, ephemeral storage guidance, or prominent warnings at the point of use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The OAuth, HTTP Basic Auth, cookie, and token examples demonstrate handling third-party credentials and reusable authentication tokens in plaintext commands and persisted state. In an automation skill focused on browser interaction, this context increases risk because users may copy these snippets directly into scripts, logs, shell history, or shared environments, leading to credential leakage or session hijacking.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation shows proxy credentials embedded directly in a URL inside an environment variable, which can normalize insecure handling of secrets. Even though this is only an example, such credentials may be exposed through shell history, process listings, logs, screenshots, or copied scripts, creating avoidable credential leakage risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation repeatedly encourages recording full browser sessions, screenshots, and test artifacts without any warning about capturing sensitive information such as credentials, session tokens, PII, or internal application data. In a browser automation skill, this is particularly risky because the examples explicitly include login flows and form filling, so users may unintentionally create persistent artifacts containing secrets or regulated data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.