ClawHub

Vanzhangsh Skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed browser automation skill, with sensitive session features that are expected for its purpose but require care.

Install only if you trust the external agent-browser package. Use separate browser sessions for sensitive sites, avoid saving auth state unless necessary, keep state files and recordings out of shared or version-controlled locations, and require confirmation before the agent submits forms, uploads files, changes settings, or performs purchases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly documents saving and reloading browser state and notes that recording preserves cookies/storage, but it does not warn that these artifacts may contain active session tokens, authentication cookies, or other sensitive data. In an agent context, this increases the risk of credential leakage, unintended privilege reuse across tasks, and insecure handling of auth material on disk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The documentation advertises commands that write screenshots, PDFs, traces, videos, and state files to local paths, but it does not clearly warn that these operations modify the local filesystem and may overwrite existing files or create sensitive artifacts. For agent-operated tools, hidden write side effects can surprise users and increase the chance of data loss or leakage.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
agent-browser state save auth.json    # Save session state
agent-browser state load auth.json    # Load saved state
```

## Example: Form submission
Confidence
95% confidence
Finding
Load saved state

Session Persistence

Medium
Category
Rogue Agent
Content
agent-browser wait --url "/dashboard"
agent-browser state save auth.json

# Later sessions: load saved state
agent-browser state load auth.json
agent-browser open https://app.example.com/dashboard
```
Confidence
96% confidence
Finding
load saved state

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal