ClawHub

Browser Use - 网页自动化

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is coherent for web browsing, but it needs review because it gives the agent broad page-control powers and includes anti-detection and CAPTCHA-bypass guidance.

Install only if you are comfortable letting an agent control a browser, act in logged-in pages, run arbitrary page JavaScript, and leave page-derived files or screenshots on disk. Use a separate low-privilege browser profile, avoid sensitive accounts, review saved files, and require explicit user confirmation for script execution, form submissions, account changes, purchases, or CAPTCHA/verification flows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation explicitly recommends using Baidu to avoid courier-site CAPTCHA protections, which is guidance to bypass anti-automation controls. Even if framed as convenience, it encourages behavior that can violate site access controls or terms and normalizes evasion patterns that may be reused in more sensitive workflows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill exposes a general-purpose execute_script API that runs arbitrary JavaScript in the current page context. That exceeds the declared scope of browsing, search, scraping, and form interaction, and enables unrestricted DOM manipulation, data extraction, trigger of privileged page actions, and execution of site-specific logic that may bypass higher-level safety controls.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code injects anti-detection logic that hides navigator.webdriver and suppresses notification permission prompts on every new document. For a browsing helper, stealth-oriented fingerprint manipulation is not necessary for core functionality and can facilitate evasion of bot-detection or site controls, making potentially abusive automation harder to detect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that excess page text or elements are automatically saved to a file, but does not describe retention, path restrictions, sensitivity handling, or user consent. Since browser pages may contain personal, confidential, or session-related content, silent persistence expands the data exposure window and can create unintended local data leakage.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal