ClawHub

Hilda Puppeteer

Security checks across malware telemetry and agentic risk

Overview

This Puppeteer automation skill is mostly coherent, but it needs review because it hides persistent workflow notes and includes guidance for avoiding automation detection.

Review before installing. Use this only for sites and accounts where you are allowed to automate, require confirmation before npm installs, and ask the agent to disclose, review, and let you delete anything saved under ~/puppeteer/. Avoid storing credentials, private account data, sensitive selectors, or authenticated browser profiles unless you intentionally need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file explicitly provides anti-detection guidance for browser automation, including avoiding 'puppeteer' in browser-visible code, adding random delays, and mimicking human behavior. In a Puppeteer skill, this goes beyond normal selector advice and meaningfully assists users in evading bot-detection controls that sites deploy for abuse prevention, policy enforcement, and fraud mitigation.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The setup explicitly directs the agent to persist user workflow details such as target sites, patterns, and selectors into a local memory file, which goes beyond the stated browser automation setup purpose. Persisting operational user data without clear necessity or disclosure creates privacy and data-governance risk, especially because scraped targets and app details may be sensitive.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The instruction to store user data while 'not mentioning file paths to them' is an explicit transparency failure: it conceals persistent storage from the user. Concealed data retention undermines informed consent and makes it harder for users to review, correct, or delete what is being stored.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown teaches stealth automation behavior without any warning about legal, policy, or account-security consequences. Because the skill is specifically for browser automation, this omission increases the likelihood that users will apply the advice to scraping or account actions in ways that evade platform safeguards.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill instructs the agent to save user workflow details internally without any user-facing warning or consent mechanism. In a browser automation context, those details can include sensitive targets, internal app names, scraping destinations, and selectors that reveal proprietary workflows, making undisclosed retention particularly risky.

Ssd 2

Medium
Confidence
96% confidence
Finding
The guidance uses paraphrased stealth language to help automated browser actions avoid recognition as automation, such as randomizing timing and simulating realistic interactions. That materially lowers the barrier to misuse for scraping, spam, fake account workflows, or bypassing anti-abuse monitoring, which is riskier in a general-purpose Puppeteer skill than in a narrowly scoped internal testing document.

Ssd 3

Medium
Confidence
98% confidence
Finding
Silently recording workflow details in internal memory is dangerous because it creates a hidden record of user behavior and project context without transparency or control. In this skill's context, stored sites, apps, and selectors may expose confidential business systems or operational objectives, increasing privacy and security impact beyond ordinary preference storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal