ClawHub
Back to skill

Security audit

browser-automation

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill matches its stated purpose, but it gives broad web, session, download, and third-party remote-processing capabilities without enough user control or privacy disclosure.

Install only if you are comfortable with a skill that can control a browser, interact with logged-in accounts, save screenshots/downloads, retain cookies and credentials in a persistent profile, access internal network sites, and route AI browser actions or extraction through SkillBoss API Hub. Use isolated profiles or test accounts, avoid sensitive financial/admin workflows, clear profile and download folders after use, and require explicit user confirmation before submissions, downloads, purchases, account changes, or extracting private page content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The example explicitly notes reuse of Chrome's user profile, which can preserve cookies and authenticated state across runs. In a browser-automation skill, that expands behavior from transient browsing into persistent session handling, increasing the risk of unintended account access, cross-task data leakage, and privacy exposure if later tasks inherit prior login state.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The example states that files are automatically downloaded to a local directory, introducing local filesystem write behavior beyond simple page interaction. This can surprise users, create storage and malware-handling risks, and enable silent retrieval of untrusted content onto the host if used against arbitrary URLs.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The reference explicitly states the browser can access localhost and internal networks and can automatically download arbitrary files without restriction. In an agent skill, this materially expands the attack surface beyond ordinary web browsing: a prompt or webpage could induce SSRF-style access to internal services and cause unreviewed files to be written to disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The form-submission example demonstrates entering personal data and clicking Submit without warning that the information will be transmitted to an external website. In this skill context, that can normalize sending real PII through automation and may cause accidental disclosure if users copy the pattern with sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The login example instructs users to enter credentials and also notes that session cookies may persist via the Chrome profile, but it does not clearly warn about account security, shared-environment exposure, or unintended reuse of authenticated sessions. This is more dangerous in a browser skill because the core capability directly interacts with live web accounts and can preserve privileged access across runs.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The download example omits a clear warning that visiting the file URL will automatically write a file to a local directory. Even if intended behavior, undisclosed local writes reduce user awareness and can lead to accidental storage of untrusted or sensitive files on the host.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README defines the skill trigger in very broad terms, covering generic browsing, extraction, screenshots, form-filling, and web app interaction. In an agent ecosystem, an overly broad description can cause the skill to be invoked for many routine requests, expanding access to sensitive web actions and increasing the chance of unintended automation on private or security-sensitive sites.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises powerful capabilities like form filling, clicking, screenshots, and data extraction without warning about privacy, consent, or potentially system-impacting actions. This makes unsafe use more likely, especially where browser automation could expose credentials, capture sensitive data, submit unintended transactions, or interact with authenticated sessions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation says downloads are automatically saved to ./agent/downloads but does not clearly warn users that invoking the skill can persist remote content on disk. This creates risk of silent storage of malicious, sensitive, or unexpected files and reduces informed consent for filesystem side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The act command uses Stagehand/page.act routed through an external API hub, but the command description does not warn that action prompts and potentially page context may be transmitted off-box. Users may unknowingly send sensitive page contents, form data, or session-derived context to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The extract command is designed to analyze page contents and is routed through an external AI service, yet the reference omits a privacy warning. Because extraction often targets structured data from pages, this can expose sensitive business, personal, or authenticated content to a third party without clear disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill silently switches between local browser execution and a remote third-party browser service based on the presence of an API key, without informing the user. This can expose visited URLs, page contents, form inputs, session data, or screenshots to a remote environment unexpectedly, creating privacy and data-governance risk.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.