ClawHub

Clawdbot Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed browser-automation skill, but saved sessions, cookies, and storage should be treated like sensitive account access.

Install only if you trust the external agent-browser npm package and need automated browser control. Keep auth state files, cookies, localStorage values, screenshots, PDFs, and extracted page content out of source control and logs, and require explicit approval before purchases, posts, deletions, account changes, or other high-impact actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends `state save auth.json` and `state load auth.json` to skip login flows, but provides no warning that these files contain sensitive session artifacts such as cookies and storage tokens. In an agent setting, this can normalize insecure handling of reusable authentication state, leading to credential/session theft, accidental check-in to source control, or cross-user/session misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents commands for reading and modifying cookies and local storage without any privacy or sensitivity guidance. Because these stores commonly contain session identifiers, CSRF tokens, PII, and app secrets, exposing them as routine commands in a browser automation skill increases the chance an agent will exfiltrate, log, or tamper with sensitive data during normal operation.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal