ClawHub

Terminal In Chrome

Security checks across malware telemetry and agentic risk

Overview

This skill is a real browser terminal tool, but it gives a Chrome extension and localhost server broad, weakly controlled access to an interactive shell on the user's machine.

Install only if you deliberately want a Chrome extension that can open a local shell connected to your machine. Use it only in a controlled environment, restrict it to trusted sites, add authentication and strict origin checks to the localhost server, avoid exposing sensitive environment variables, and make terminal sessions expire when disconnected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares itself as only managing a local server, but the documented operations require shell command execution and filesystem access without explicitly declaring those capabilities. This creates a transparency and policy gap: reviewers or users may approve the skill under-scoped assumptions while it can invoke local commands and inspect process state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as a simple lifecycle manager for a localhost server, but the documented architecture and analyzer findings indicate a much more powerful system: terminal injection into arbitrary webpages, localhost WebSocket exposure, shell spawning via node-pty, and permissive cross-origin access. In this context, understatement is security-relevant because it can hide remote-to-local command execution pathways and cause users to enable a browser-integrated shell surface they did not meaningfully consent to.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata says the extension manages a local backend server on port 8989, but the manifest describes injecting a local terminal into any website. This mismatch is security-relevant because it conceals materially broader browser-side behavior than users would expect, reducing informed consent and potentially hiding a capability that exposes local terminal access in arbitrary browsing contexts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Injecting terminal-related content scripts on <all_urls> is far broader than necessary for managing a localhost server. This creates a dangerous universal execution surface where every visited site can interact with or be affected by terminal UI logic, increasing the risk of data exposure, script abuse, and unintended bridging between untrusted web pages and a localhost service.

Scope Creep

Medium
Confidence
89% confidence
Finding
The manifest combines localhost host permissions with content script injection on all websites, which enables the extension to run on arbitrary pages while also being able to communicate with local services. Even though host_permissions are limited to localhost, this architecture can facilitate cross-context abuse where untrusted web content influences extension logic that can reach local resources.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it manages a local terminal server, but the implementation is the terminal backend itself and exposes live interactive shell sessions over WebSocket. This is a material capability mismatch that can mislead users or higher-level policy controls, increasing the chance that powerful command execution is exposed without appropriate review or restrictions.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
`app.use(cors())` allows requests from any website, and this service exposes a terminal over localhost WebSocket. In browser-based local service threat models, permissive cross-origin access can let an arbitrary website connect to the local backend and drive command execution through the user's browser context.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The code spawns a PTY shell and later writes client-supplied WebSocket messages directly into it, creating arbitrary command execution as the local user. Combined with the permissive cross-origin design and lack of authentication, this can allow remote websites to execute commands on the host through the local service.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
Terminal instances are keyed by a user-controlled URL parameter and persist across disconnects, creating long-lived shell sessions that can be reattached to later. This increases exposure by preserving command context, shell state, and potentially sensitive output beyond any single trusted interaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes a Chrome extension that injects a fully functional terminal into any website and connects it to a local backend that spawns bash or zsh. Even if this file is only documentation, omitting a clear warning about the security model is dangerous because it normalizes exposing shell access in a browser context where arbitrary web content, extension bugs, or origin-confusion issues could lead to command execution against the user's local machine.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The stop procedure instructs users to terminate the process with `kill -9`, which forcefully kills the server without graceful shutdown or validation of the target process. While not a direct exploit by itself, this is an unsafe operational practice that can cause data loss, leave resources in inconsistent states, or kill the wrong process if the PID is misidentified.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The content script opens a WebSocket to a local terminal backend and forwards keystrokes from a browser-injected terminal to that backend, but the code provides no clear user-facing warning, consent prompt, or trusted-origin gating at connection time. In an extension that injects into arbitrary web pages, this increases the risk of unexpected terminal exposure and command entry in sensitive browsing contexts, especially since visibility can be auto-restored per page and the feature is activated from within page sessions.

Missing User Warnings

High
Confidence
87% confidence
Finding
The manifest advertises terminal injection into all websites without clear warning that this is a broad, system-impacting capability connected to localhost access. In this skill context, that is especially dangerous because users expect a local server management tool, not an extension that can place terminal functionality into arbitrary pages and potentially expose local-system interaction in unsafe contexts.

Missing User Warnings

High
Confidence
93% confidence
Finding
The code creates an interactive shell without any visible confirmation, consent flow, or security interstitial to the user. For a local agent skill, hidden command execution is especially dangerous because users may believe they are only managing service status, not granting shell access.

Missing User Warnings

High
Confidence
96% confidence
Finding
Passing `env: process.env` into the spawned shell exposes all environment variables available to the server process to terminal commands. These often include API keys, tokens, proxy credentials, and other secrets that a connected client can read or exfiltrate.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal