ClawHub

tgebrowser

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent TgeBrowser control helper, but it gives an agent broad browser-profile, cookie, automation, and deletion authority without enough confirmation guidance.

Install only if you intend to let an agent control TgeBrowser profiles through the local MCP/API setup. Before use, require explicit approval for retrieving cookies, using logged-in profiles, running page scripts, submitting forms, deleting profiles, clearing cache, or closing all profiles. Avoid exposing raw cookies or proxy credentials unless strictly necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly recommends automatic cleanup flows that include closing all profiles, listing all browsers, and deleting unwanted ones based on criteria, as well as automatically closing browsers before cache deletion. These are destructive state-changing operations, and the lack of confirmation or warning guidance creates a real risk of unintended data loss or disruption if the agent infers intent incorrectly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill exposes cookie and browser profile data access as normal utility operations without any privacy warning, approval step, or limitation guidance. Cookies can contain session tokens and other sensitive data, so normalizing access increases the chance of unauthorized data extraction or accidental privacy violations.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Documenting a cookie-retrieval capability without any privacy or sensitivity warning is dangerous because cookies often contain session tokens and authentication material. In a skill that provides full browser control and automation, this materially increases the risk of account takeover or unauthorized session reuse if an agent retrieves and exposes them without strict user consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill exposes multiple powerful browser-management and automation capabilities, but the tool descriptions are broad and underspecified, which can cause over-activation for loosely related user requests. In this context, generic descriptions are dangerous because the tools enable opening browser environments, creating proxy-backed identities, and deleting environments, all of which expand the chance of unintended or unsafe invocation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal