ClawHub
Back to skill

Security audit

Ok Core Skill

Security checks across malware telemetry and agentic risk

Overview

This skill matches its OK.com automation purpose, but it grants broad browser-session control with under-disclosed cookie, scripting, debugger, and persistent-profile access.

Install only if you are comfortable giving this skill substantial control over OK.com browser sessions, including authenticated account actions. Prefer manual OAuth login over passing passwords on the command line, avoid using it with a normal browser profile or unrelated CDP sessions, and review/limit the extension and persistent profile behavior before using it on accounts with important listings or sensitive messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though its documented behavior requires shell execution, network access, file access, and likely access to environment/browser state. This creates a transparency and review gap: operators may approve or run the skill without understanding that it can execute commands, read local files, and interact with remote services, which materially increases security risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as a classifieds automation tool, but the detected behavior includes powerful browser automation features such as cookie extraction, arbitrary JavaScript evaluation, screenshots, login automation, and account probing. In this context, those hidden or under-disclosed capabilities are dangerous because they can access authenticated sessions, exfiltrate sensitive data, and perform actions beyond the user's reasonable expectations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The extension exposes a generic `evaluate` capability that executes attacker-supplied JavaScript in the page's MAIN world via `Function(...)`. Even though tab selection is scoped to `*.ok.com`, this still grants full script execution on authenticated OK.com pages, enabling DOM scraping, account actions, and data exfiltration beyond the stated browsing/management purpose. In an agent skill, this is especially dangerous because the localhost bridge can silently drive privileged browser behavior without user review.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The bridge advertises a `get_cookies` command and implements unrestricted cookie retrieval for `ok.com`. Cookies are highly sensitive authentication material; exposing them over a localhost command channel is not necessary for ordinary marketplace browsing and can enable session theft if any local process can talk to the bridge server.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest presents itself as a simple local bridge, but it requests cookies, tabs, scripting, and debugger access plus host access to OK.com and localhost WebSockets. That combination gives the extension the ability to inspect and manipulate authenticated OK.com sessions well beyond what a narrowly scoped bridge would need, creating a capability/description mismatch that can conceal risky behavior from users and reviewers.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The debugger permission is highly sensitive because it can attach to tabs and observe or control network traffic, page state, and browser behavior. For an OK.com browsing/listing-management skill, this is excessive and materially increases the risk of credential theft, session hijacking, interception of sensitive data, or stealthy page manipulation if the extension is compromised or abused.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The page-selection logic falls back to the first existing tab if no ok.com page is open, which can attach the automation client to an unrelated site in the user's live browser session. In a CDP-connected browser with a real user profile, that creates a cross-site session-hijacking risk: subsequent clicks, form fills, reads, screenshots, and cookie access can affect or exfiltrate data from arbitrary sites rather than only OK.com.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This client exposes broad browser-automation primitives such as arbitrary navigation, generic DOM reads/writes, unrestricted JavaScript evaluation, screenshots, scrolling, and synthetic keypresses. Because the skill is presented as OK.com-specific but connects to a real Chrome session over CDP, these capabilities materially exceed the stated workflow and can be composed to inspect or manipulate unrelated websites, making misuse substantially more dangerous in context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The factory scans localhost CDP ports and will attach to any responding Chrome DevTools session, regardless of whether that browser instance belongs to this skill or contains unrelated user activity. In the context of an OK.com automation skill, this exceeds expected scope and could expose cookies, tabs, page contents, and authenticated sessions from other browsing contexts to the agent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code auto-launches a general-purpose Chrome with remote debugging enabled and a persistent profile under ~/.ok-agent, then reuses it across invocations. This creates a long-lived browser state that can accumulate sensitive session data and be reattached later, broadening access beyond a single task and increasing the chance of cross-session data exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The client exposes a generic `evaluate(expression)` method that can execute arbitrary JavaScript in the current page context, which exceeds the skill's stated purpose of browsing and managing OK.com content. In an agent setting, this creates a powerful escape hatch for DOM manipulation, data extraction, or invocation of page-side APIs on any loaded site, especially dangerous when combined with authenticated persistent sessions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file explicitly uses a persistent Playwright context so cookies, localStorage, and sessionStorage survive across runs, and the same client later supports cookie retrieval. Retaining and reusing session material beyond a single task materially expands the skill's access to authenticated state and makes cross-run data exposure or account misuse more likely if the agent is subverted or multi-tenant.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The module explicitly states its purpose is to mimic human behavior to lower OK.com's risk-control detection, which is an anti-detection/evasion capability rather than ordinary browsing automation. In the context of a marketplace automation skill, this enables stealthy scraping or account actions while reducing the platform's ability to detect and stop automated abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises account-management operations such as deleting or editing posts without warning that these actions are destructive or may affect the user's live OK.com account. In an agent setting, omission of confirmation and risk signaling can lead to unintended irreversible changes, especially when coupled with automation over authenticated sessions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The background worker connects to `ws://localhost:9334` and executes incoming commands with browser privileges, but there is no authentication, origin validation, or user-facing warning. Any local process able to bind or interact with that port could control navigation, DOM actions, screenshots, cookie access, and script execution on OK.com, making the extension a local privilege bridge.

Missing User Warnings

High
Confidence
97% confidence
Finding
`cmdGetCookies` returns all cookies for the requested domain without any user notification or approval. On OK.com this can expose session and tracking cookies from an authenticated account, enabling impersonation or account takeover if the bridge is abused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The extension can capture screenshots of the visible tab and return the image data through the bridge without notifying the user. Screenshots can reveal personal messages, listings, profile information, and other sensitive content from authenticated sessions, especially when combined with silent remote automation.

Missing User Warnings

High
Confidence
99% confidence
Finding
Arbitrary page-script evaluation is performed in the MAIN world using dynamic code generation, with no user-facing warning or safety boundary. This allows remote commands to read page state, invoke site JavaScript, manipulate forms, and exfiltrate data from logged-in OK.com pages, effectively turning the extension into a remote browser automation backdoor for that origin.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `login` subcommand requires `--password` on the command line, which exposes secrets to shell history, process listings, audit logs, and agent telemetry. Even if the password is only forwarded to `login_with_email`, accepting it as a CLI argument creates a realistic credential leakage path in multi-user systems and automated agent environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The get_cookies command returns the full browser-context cookie set with no consent prompt, filtering, or origin restriction. In a CDP session attached to a real user profile, cookies may include authenticated session tokens for OK.com or any other site in the attached context, enabling account takeover or unauthorized data access if exposed to the agent or downstream systems.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The factory may auto-launch Chrome and also kill a previously tracked Chrome process when CDP is unreachable, but there is no clear user-facing consent or warning in this flow. Unexpectedly starting or terminating browser processes can disrupt user activity and, in combination with persistent profiles and CDP reuse, makes the automation behavior more security-sensitive than a typical scoped site client.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The client stores browser state under `~/.ok-agent/pw-profile/`, causing sensitive cookies and local/session storage to remain on disk across runs without any visible warning, consent, or retention controls in this component. For a skill that may be run by agents on shared systems or reused across tasks, this increases the chance of inadvertent credential retention and later compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`send_command('get_cookies')` returns all browser cookies from the context, directly exposing potentially sensitive authentication and session tokens. In combination with the persistent profile and broad browsing primitives, this can enable session theft, replay, or unauthorized access well beyond normal OK.com browsing operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists full cookie data to a predictable local JSON file under a project directory without any encryption, permission hardening, expiry handling, or user consent flow. Cookies often contain session tokens, so local compromise, accidental checkout, backup leakage, or multi-user access could lead to account hijacking on OK.com across supported locales.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The file header promotes simulating real-user operation rhythms specifically to reduce platform risk controls, which signals intentional evasion of detection mechanisms. This is dangerous because it can be combined with scraping, favorites/listing management, or other account actions to scale abusive behavior while bypassing defensive monitoring.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.