Back to skill

Security audit

Clawbrowser Skill

Security checks across malware telemetry and agentic risk

Overview

This looks like a real browser automation and scraping skill, but its scraper can upload captured page content to Feishu by default in CLI modes without clear top-level disclosure.

Review before installing if you may use it on logged-in, internal, or sensitive pages. Prefer isolated browser sessions, avoid entering secrets through this wrapper, and change or wrap web_scraper.py so Feishu upload requires an explicit per-run choice rather than being enabled by the CLI defaults.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no required permissions, yet its documented behavior implies shell execution (`npm install`, `agent-browser install`), environment/runtime dependencies, and likely local file access through scraping output and configuration. This creates a transparency and least-privilege problem: operators may approve or run the skill without understanding that it can invoke external binaries and touch the local system.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The description presents the skill as browser automation, but the documented functionality extends into web scraping, bulk extraction, local persistence, and possible third-party document integration. This mismatch is dangerous because reviewers and users may underestimate the scope of data collection, exfiltration, and persistence capabilities, especially in an agent setting where autonomous actions can scale quickly.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill advertises browser automation but also exposes arbitrary page-context JavaScript execution through the eval command in extract_images and extract_links patterns, showing the wrapper is willing to run injected JS in the browser context. In an agent setting, this broadens capability beyond simple navigation and can be repurposed to access page DOM content, tokens, or perform unsafe actions on authenticated pages.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill goes beyond browser automation by persisting scraped content locally and optionally exporting it to Feishu, which materially expands data-handling behavior beyond the stated scope. This increases the risk of unexpected collection, retention, and exfiltration of potentially sensitive page contents without users understanding that the tool is acting as a scraper-plus-publisher rather than only a browser automation helper.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code transmits scraped page content to Feishu, a third-party platform, which can expose confidential or regulated information if users scrape internal pages, private articles, or authenticated content. The danger is amplified because the skill's stated purpose does not clearly justify external publication, so users may not reasonably expect off-platform data transfer.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill advertises scraping and form-filling without any privacy, consent, credential-handling, or terms-of-service warnings. In practice, this can lead users or autonomous agents to collect personal data, submit forms on live sites, or process sensitive content without appropriate safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Natural-language commands are especially risky because they abstract away the exact browser actions being taken, making unintended navigation, clicks, and submissions more likely. Without warnings or confirmation controls, an agent could perform real actions on production websites, including login attempts, purchases, data changes, or acceptance of prompts, based on ambiguous language.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI path enables save_to_feishu=True by default for both single and batch scraping, causing scraped content to be uploaded without an explicit confirmation step. This creates a strong risk of accidental data exfiltration, especially when operators run the tool assuming it only fetches or stores content locally.

Ssd 3

Medium
Confidence
90% confidence
Finding
The natural-language command path logs full user instructions, which can include secrets, personal data, URLs with tokens, or task details. In agent environments, logs are often persisted, exported, or exposed to operators, turning routine prompts into a data-retention and disclosure channel.

Ssd 3

Medium
Confidence
95% confidence
Finding
The fill and type methods log the first 20 characters of supplied text, which can expose passwords, API keys, email addresses, or other sensitive form inputs. Even partial-value logging is enough to leak secrets and creates unnecessary plaintext persistence in memory or downstream log sinks.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.