Back to skill

Security audit

Selenium Browser Control

Security checks across malware telemetry and agentic risk

Overview

This is a real Selenium browser automation skill, but it grants broad web-control and browser-data access without enough scoping or user safeguards.

Install only if you intentionally want an agent to drive a local headless Chrome browser. Use it on trusted sites where automation is allowed, avoid logged-in accounts or payment/admin workflows unless strictly necessary, do not share cookie or page-source outputs, review saved screenshots in ~/Pictures/OpenClaw, and be cautious with proxy, User-Agent, JavaScript, and form-submission commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger keywords are broad, generic terms such as '打开网页', '浏览器', '点击', and '填写' that can match many ordinary user requests, causing this high-impact browser automation skill to activate in situations where the user may not intend full browser control. Because the skill can open URLs, execute JavaScript, manipulate cookies, and set proxies, over-broad activation materially increases the risk of unintended navigation, data exposure, or unsafe automated actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill exposes privacy- and system-impacting capabilities including JavaScript execution, cookie retrieval and modification, proxy configuration, page source extraction, and arbitrary browsing, yet the documentation provides no warning about handling credentials, session tokens, personal data, or access to untrusted websites. In this context, the missing warnings are security-relevant because users may invoke the skill without understanding that it can expose sensitive browser state or perform actions with real account consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The get_cookies method exposes full browser session cookies to the caller with no access control, redaction, or scope restriction. In an agent skill context, this is dangerous because cookies can be replayed to hijack authenticated sessions or extract secrets from sites the automated browser has visited.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Returning page source can expose sensitive content present in authenticated pages, including CSRF tokens, embedded secrets, account data, or internal application markup. In an agent-controlled browser, this materially increases data exposure because the tool can read privileged pages and hand their contents back to untrusted callers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The execute_script method allows arbitrary JavaScript execution in the context of whatever page is loaded, enabling DOM manipulation, triggering clicks/submissions, extraction of page data, and abuse of authenticated sessions. In an automation skill exposed to agent inputs, this becomes a powerful browser-code execution primitive that can perform sensitive actions on behalf of the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.