ClawHub

web-access-openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate browser automation skill, but it gives broad control over a user's logged-in Chrome session and local files, so users should review it carefully before installing.

Install only if you are comfortable letting the agent operate a real Chrome session. Prefer a separate Chrome profile with only the accounts needed for the task, stop the proxy when finished, and require explicit confirmation before uploads, posts, purchases, submissions, deletes, account changes, or saving screenshots of sensitive pages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /eval endpoint allows arbitrary JavaScript execution inside the user's live Chrome session via Runtime.evaluate. In the context of a proxy attached to a real user browser, this can read page content, access authenticated sessions, trigger privileged actions on logged-in sites, and exceed the declared scope of simple web access or page interaction.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The /setFiles endpoint lets the proxy inject arbitrary local filesystem paths into file inputs using DOM.setFileInputFiles. That bridges web automation with local file access, enabling upload of sensitive local files through the user's authenticated browser session without any visible file picker or meaningful user confirmation.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The /clickAt endpoint uses Input.dispatchMouseEvent to synthesize browser-level clicks and its comments explicitly note bypassing anti-automation checks and triggering file dialogs. This increases risk because it enables the proxy to perform actions websites intend to gate behind real user gestures, potentially causing unintended transactions, consent flows, or privileged UI actions in a logged-in session.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill scope is defined so broadly that it effectively becomes the default path for almost any networked task, including search, scraping, authenticated browsing, and interactive web actions. That over-broad trigger surface increases the chance the agent will invoke a high-privilege capability unnecessarily, exposing users to unintended data access or browser-side actions without a narrow safety gate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This section grants powerful browser control through a local proxy tied to the user's real Chrome session, including reading authenticated pages, executing arbitrary JavaScript in-page, clicking, uploading files, and closing tabs. In this context, the absence of strong warnings, consent requirements, and action boundaries makes the skill materially dangerous because it can access private data and perform state-changing actions as the user.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill instructs the agent to write persistent site-pattern notes after successful operations, but does not disclose that this modifies local files and leaves durable records of browsing-derived knowledge. Even if intended for convenience, silent persistence can create privacy, integrity, and auditability concerns, especially when gathered from user sessions or authenticated contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation exposes powerful browser automation primitives that can perform real user-like clicks and directly inject local file paths into file inputs, including language about bypassing file dialogs and some anti-automation checks. In a web-access skill, these capabilities can enable unintended exfiltration of local files, interaction with authenticated sessions, and stealthy actions on third-party sites if not constrained by explicit authorization, scope limits, and safety warnings.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The screenshot API allows saving captures of browser content directly to local files without warning that screenshots may contain credentials, personal data, session information, or regulated content. Persisting these images on disk increases the chance of unintended retention, later disclosure, or reuse beyond the user's expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The HTTP API exposes sensitive browser-control operations such as navigation, evaluation, clicking, screenshots, and file upload without any authentication, authorization, user consent flow, or warning mechanism. Even though it binds to 127.0.0.1, any local process or potentially a malicious local webpage leveraging localhost access could drive the user's live Chrome session and abuse existing authenticated state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal