Back to skill

Security audit

Clawbrowser Skill

Security checks across malware telemetry and agentic risk

Overview

This looks like a real browser automation tool, but its scraper can publish scraped page content to Feishu by default in CLI and scheduled modes without clear top-level disclosure.

Review before installing. Use it in an isolated environment, avoid authenticated or private pages unless you intend their contents to be saved, and do not use web_scraper CLI or scheduled mode unless you want scraped content exported to Feishu. Disable or edit the Feishu export path if you only need local browser automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata declares no required environment permissions, yet the documented functionality and referenced files imply access to environment variables, shell execution, and local file reads/writes. This mismatch is dangerous because operators and policy systems may approve the skill under a lower-trust profile than it actually needs, enabling unexpected command execution or data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill is presented primarily as browser automation, but analysis indicates broader behaviors including scraping, local persistence, batch/scheduled collection, and Feishu integration. That broader operational scope materially changes the risk profile because it can support mass data collection, storage, and exfiltration workflows that are not clearly disclosed in the top-level description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes a general `eval` bridge to execute arbitrary JavaScript in the loaded page context, which exceeds the stated browser automation scope and creates a powerful capability surface. Even though the current methods use fixed JS snippets, the helper normalizes script execution as a supported primitive and could be extended or misused to access sensitive DOM data, trigger unintended actions, or bypass higher-level safety constraints.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module can automatically publish scraped page content to Feishu, which expands data-flow beyond the stated browser automation purpose and may exfiltrate sensitive content from visited pages to a third-party platform. In this skill context, hidden or insufficiently disclosed outbound publishing is more dangerous because users may expect local browser automation, not remote content transfer.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The markdown promotes web scraping, automation, and data collection use cases without any warning about privacy, authorization, terms-of-service, or handling of sensitive data. In an agent-facing skill, missing safety guidance increases the chance of misuse against protected content or collection of personal/confidential information at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Browser results are persisted under `~/.openclaw/cache/browser` without user notice, and the cache can contain page content, snapshots, or other potentially sensitive browsing data. In an agent-browser context, pages may include tokens, internal URLs, personal data, or workflow artifacts, so silent persistence increases privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The screenshot method accepts an arbitrary filesystem path and forwards it directly to the browser CLI, enabling file creation or overwrite in locations chosen by the caller. In an agent environment this can be abused to write into unexpected directories, clobber files, or leak page content into sensitive locations without user awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI paths invoke scraping with save_to_feishu=True automatically, causing scraped content to be transmitted to Feishu without confirmation, review, or a privacy notice. This creates a real risk of unintended disclosure of internal, private, or copyrighted page content, especially when used in scheduled or batch modes that can exfiltrate at scale.

Ssd 3

Medium
Confidence
94% confidence
Finding
The code logs full natural-language instructions and related action parameters, which may include credentials, personal data, URLs with tokens, or other sensitive user inputs. Since logs are retained in memory and exposed through `get_logs()`, this broadens data exposure to later consumers of the object or surrounding agent framework.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.