ClawHub

chrome-cdp-skill

Security checks across malware telemetry and agentic risk

Overview

This browser-debugging skill is mostly disclosed, but it gives an agent broad control over your real Chrome session and includes under-scoped raw CDP and tab-opening powers.

Install only if you intentionally want an agent to control a local Chrome-family browser through DevTools. Use a separate browser profile or close sensitive tabs, avoid using `evalraw` unless you understand the CDP method, and stop the daemon or disable remote debugging when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata says it should only interact with pages the user already has open, but the implementation exposes an `open [url]` command that creates new tabs via `Target.createTarget`. That expands the tool's authority beyond its declared scope and could be used to drive the browser to arbitrary destinations, increasing the chance of phishing, unwanted navigation, or policy bypass in agent workflows that rely on the manifest for safety boundaries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`evalraw` allows callers to send arbitrary CDP methods and attacker-controlled JSON parameters directly to the browser session, which effectively bypasses all higher-level safety restrictions implemented elsewhere in the tool. In this context, raw CDP access can enable far more than inspecting an already-open page, including browser-wide introspection, navigation, input injection, target manipulation, and access to sensitive page data from any attached target.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal