ClawHub

chrome-extension-wxt

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Chrome extension development skill; it includes privacy-sensitive browser API examples, but no hidden execution, credential collection, or deceptive behavior was found.

Before installing or using this skill, treat its output as extension starter guidance rather than production security guidance. Review any generated manifest permissions, avoid <all_urls> unless strictly necessary, do not store API keys in sync storage, add consent/confirmation for destructive actions, and carefully review tab, cookie, history, webRequest, and script-injection code before loading or publishing an extension.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The reference demonstrates access to cookies, downloads, bookmarks, history, and scripting, including destructive actions like deleting history or removing bookmarks, without any caution about consent, privacy, or data loss. In an agent skill context, omission of guardrails can normalize unsafe generation patterns and lead users to build extensions that overreach or mishandle sensitive browser data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The webRequest examples show blocking, redirecting, and modifying headers and CORS behavior across broad URL patterns, including <all_urls>, without warning that these capabilities can intercept user traffic, weaken security boundaries, or disrupt browsing. In a skill that may be used to generate implementation guidance, presenting this power without constraints increases the risk of misuse or unsafe extension design.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The scripting section demonstrates direct code and CSS injection into arbitrary pages without warning about its ability to alter page behavior, access DOM data, or create supply-chain-style abuse if used carelessly. In an agent skill, this can encourage generated solutions that overuse injection instead of safer extension patterns and omit least-privilege controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly models storing an API key in browser.storage.sync/local state without any warning that extension storage is not appropriate for high-value secrets. In a browser-extension context, this can lead developers to persist credentials in places that may be synced across devices, exposed to other extension components, or recoverable from local profiles, increasing credential theft risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tab enumeration example collects and renders tab titles and URLs, which are sensitive browsing-data elements, without warning about privacy implications or permission minimization. In extension development docs, this can normalize broad tab access and encourage developers to expose or retain browsing history-like data unnecessarily.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal