ClawHub

Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This is a real browser automation skill, but it needs review because it can run an unpinned external CLI, control logged-in browser sessions, and includes proxy guidance for avoiding rate limits or bans.

Install only if you trust the actual agent-browser CLI package that will run on your machine. Use it on sites and accounts you are authorized to automate, avoid proxy rotation for evasion, require confirmation before purchases, posts, account changes, or submissions, and treat saved state, screenshots, videos, and proxy credentials as sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The reference explicitly exposes `agent-browser eval`, including base64 and stdin modes that allow arbitrary JavaScript to run in the page context. In a browser automation skill this materially expands capability from structured interaction into unrestricted script execution, enabling DOM scraping, token extraction, workflow bypasses, and execution of unsafe actions against live authenticated sessions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The global option `--extension <path>` permits loading arbitrary browser extensions, which can gain broad access to page content, cookies, network activity, and user interaction. That capability is not necessary for ordinary browser automation and creates a powerful code-loading and surveillance surface that could be abused by an agent or poisoned environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The document explicitly frames proxy support as useful for 'rate limiting avoidance,' which promotes an evasion use case beyond ordinary browser automation. In an agent-facing skill, this can normalize or enable abusive scraping workflows and make it easier for downstream users or agents to bypass service protections.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The rotating-proxies example is specifically justified as a way to avoid rate limiting and bans during scraping, which is an operational evasion pattern rather than a neutral automation example. Because this is documentation for an agent browser skill, it materially increases the chance the capability will be used for abusive large-scale collection against target sites.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger language is extremely broad and covers almost any request involving websites, logins, scraping, screenshots, or automation. In an agent setting, this increases the chance the skill is invoked for ambiguous tasks, causing unneeded browser actions against live sites and expanding the attack surface for prompt injection, account changes, or data submission.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description advertises powerful browser capabilities but does not warn that using the skill can send data to third-party websites, perform clicks and submissions, or alter remote accounts. Without an upfront warning, an orchestrating agent may invoke the skill in contexts involving credentials, personal data, or irreversible account actions without adequate user awareness or consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example saves authenticated browser state to a local JSON file immediately after login without an adjacent warning that the file contains reusable session material. In this skill’s context, that state may include cookies or tokens that can allow account takeover if the file is copied, committed, or left on a shared system.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation encourages screenshots, PDFs, video capture, and related artifacts without warning that these outputs may persist sensitive page content such as credentials, PII, session identifiers, or internal data. In an agent-operated browser, silent persistence increases the chance of unintentional retention, leakage, or reuse of sensitive information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Commands for cookies, storage, headers, credentials, and auth-state manipulation expose highly sensitive browser state and allow direct modification of authentication material and request metadata. Without privacy and integrity warnings, users or agents may dump secrets, replay sessions, tamper with live requests, or persist credentials in unsafe files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference documents request interception and arbitrary JavaScript execution without warning that these features can alter live traffic, bypass normal UI constraints, inspect sensitive responses, and execute untrusted logic in authenticated page contexts. In combination, they provide offensive testing and exfiltration primitives far beyond ordinary click/fill automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Embedding proxy usernames and passwords directly in environment-variable URLs encourages insecure secret handling and may expose credentials through shell history, process inspection, logs, screenshots, or copied documentation. In an agent-operated environment, these examples can be reproduced automatically and leak long-lived proxy credentials into transcripts or execution artifacts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation demonstrates saving and reusing authenticated browser state, which typically includes cookies, tokens, and other session artifacts that can grant account access if the file is exposed. Although the page later notes that state files contain auth tokens and should be handled securely, the earlier examples normalize persistence of sensitive session data without prominent warnings, secure storage guidance, or scoping protections.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation repeatedly encourages video recording of browser sessions, including login and form-filling flows, without warning that recordings and screenshots can capture credentials, session data, personal information, and other sensitive page content. In an agent-browser skill, this is more dangerous than generic tooling documentation because the intended use includes automating websites, logging in, testing apps, and saving artifacts in CI/CD, all of which increase the likelihood that secrets or regulated data will be recorded and retained.

Session Persistence

Medium
Category
Rogue Agent
Content
### Load Session State

```bash
# Restore saved state
agent-browser state load /path/to/auth-state.json

# Continue with authenticated session
Confidence
89% confidence
Finding
Restore saved state

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal