ClawHub

Agent Browser Xyhh

Security checks across malware telemetry and agentic risk

Overview

This is a coherent browser automation skill, but users should treat saved sessions, cookies, screenshots, recordings, and JavaScript evaluation as sensitive capabilities.

Install only if you trust the upstream agent-browser npm package and need browser automation. Avoid using it on sensitive accounts unless necessary, keep saved state files such as auth.json out of repositories and shared folders, restrict file permissions, delete recordings/screenshots/traces when done, and treat cookies or storage output like active login secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The description omits that the tool can execute arbitrary JavaScript and intercept or mock network traffic, which are materially broader powers than ordinary browser automation. Hidden powerful capabilities make misuse easier because operators and automated allowlisting logic may not realize the skill can alter page behavior or inspect/modify requests.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The description omits that the tool can execute arbitrary JavaScript and intercept or mock network traffic, which are materially broader powers than ordinary browser automation. Hidden powerful capabilities make misuse easier because operators and automated allowlisting logic may not realize the skill can alter page behavior or inspect/modify requests.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
`agent-browser eval` enables arbitrary JavaScript execution in the browser context, which can read DOM data, tokens exposed to page scripts, and interact with application state beyond structured commands. In an agent skill, this broadens capability from controlled automation to near-unrestricted in-page code execution, raising the risk of data extraction or unsafe actions on sensitive sites.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Direct cookie/storage manipulation and session state import/export go beyond ordinary interaction and enable persistence and replay of authenticated browser state. In practice, this can facilitate credential theft, account takeover, or cross-task leakage if agents save, inspect, or restore auth artifacts without strong controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill encourages saving screenshots, PDFs, videos, traces, and stateful artifacts to disk but provides no warning that these files may contain sensitive page content, credentials, tokens, or personal data. This creates a realistic risk of local secret spillage, later exfiltration, or accidental retention beyond the task's need.

Missing User Warnings

High
Confidence
99% confidence
Finding
Commands for setting credentials, viewing cookies/localStorage, and saving/loading authenticated session state directly expose authentication material and session secrets. Without prominent handling guidance, users or agents may store or display secrets in plaintext, enabling session hijacking, credential disclosure, or unauthorized account reuse.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
agent-browser state save auth.json    # Save session state
agent-browser state load auth.json    # Load saved state
```

## Example: Form submission
Confidence
95% confidence
Finding
Load saved state

Session Persistence

Medium
Category
Rogue Agent
Content
agent-browser wait --url "/dashboard"
agent-browser state save auth.json

# Later sessions: load saved state
agent-browser state load auth.json
agent-browser open https://app.example.com/dashboard
```
Confidence
95% confidence
Finding
load saved state

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal