ClawHub

Stealth Browser

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a stealth browser, but it has a real command-injection flaw and automatic install behavior that make it risky to load or use.

Do not install this in a normal or shared environment as-is. Use it only in a controlled sandbox for authorized testing, and only after the maintainer replaces shell exec with argument-array process execution, validates URLs, removes automatic npm install-on-load, restores browser sandboxing where possible, documents saved artifacts, and adds clear limits against unauthorized anti-bot evasion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill automatically runs `npm install` via `execSync` during `onLoad`, which executes arbitrary package lifecycle scripts from the local dependency tree without explicit user approval. This goes beyond the advertised browser functionality and creates a supply-chain and arbitrary code execution risk whenever the skill is loaded.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly sends user-supplied URLs to external websites but does not warn users that their requested destinations and browsing activity will be transmitted to third parties. This can expose sensitive targets, internal links, or investigative activity and may lead users to unintentionally disclose private or regulated information through the browsing tool.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The screenshot and PDF features can capture full page contents, including personal data, account information, tokens shown in-page, or confidential business material, yet the skill provides no warning about storage or handling of that captured content. Users may therefore create durable artifacts containing sensitive information without understanding the retention and disclosure risks.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill markets stealth capabilities specifically to bypass Cloudflare, reCAPTCHA, and other bot-detection systems, while describing techniques for masking automation fingerprints. In this context, the absence of compliance limits, user authorization requirements, or legitimate-use constraints makes the capability directly useful for evading access controls and facilitating abusive scraping or unauthorized automated access.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
User-controlled arguments are interpolated directly into a shell command string passed to `execSync` (`node "script" ${args}`), creating a classic command injection primitive. An attacker can supply shell metacharacters in URLs or other arguments to execute arbitrary OS commands with the privileges of the host process.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs `npm install` automatically and without prior user warning, which launches a powerful subprocess and may execute dependency lifecycle scripts. In the context of a skill loader, this increases the blast radius from merely using the skill to executing third-party code on the local system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill fetches arbitrary remote URLs using a stealth browser and emits retrieved page content directly to stdout, which can expose sensitive internal web content, authenticated pages, or cloud metadata if the tool is invoked on attacker-controlled URLs. The use of stealth features and lack of user-facing warning or URL restrictions makes SSRF-style misuse and covert data retrieval more dangerous in an agent environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal