ClawHub

yumweb

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it gives agents broad control over logged-in accounts and public posting without enough built-in scoping or confirmation.

Install only if you intentionally want an agent to operate a real logged-in browser profile. Use a separate low-sensitivity profile, keep port 9333 local, avoid untrusted eval strings, review every post/form/action before it runs, and consider pinning/auditing dependencies before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"Where-Object {{ $_.CommandLine -like '*{profile.replace(chr(92), chr(92)+chr(92))}*' }} | "
                "ForEach-Object { $_.ProcessId }"
            )
            out = subprocess.check_output(
                ["powershell", "-NoProfile", "-Command", ps_cmd],
                text=True, timeout=15,
            )
Confidence
85% confidence
Finding
out = subprocess.check_output( ["powershell", "-NoProfile", "-Command", ps_cmd], text=True, timeout=15, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import html2text  # noqa
        return html2text
    except ImportError:
        subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "html2text"])
        import html2text  # noqa
        return html2text
Confidence
90% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "html2text"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes powerful capabilities including shell execution, network access, file reads/writes, and browser control over a persistent authenticated profile, yet the manifest does not declare permissions or provide a capability boundary. In practice this prevents meaningful policy enforcement and hides that the skill can access sensitive account data, write screenshots/logs/profile state to disk, and perform authenticated actions on websites.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description presents itself as using an already logged-in browser as the agent's hands, but the documented behavior includes launching its own dedicated browser/profile, executing arbitrary JavaScript via eval, saving screenshots to disk, and posting to X. This mismatch is dangerous because operators may approve a seemingly low-risk reading/browsing tool without realizing it can create persistent authenticated state, execute arbitrary page code, exfiltrate visible content, and take external actions on the user's behalf.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description emphasizes using a logged-in browser to read and automate pages, but the code also includes a site-specific capability to publish posts on X. In a persistent logged-in browser context, posting creates direct account-action risk and exceeds a passive browsing/inspection expectation, making abuse materially more dangerous.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The eval command allows arbitrary JavaScript execution in whatever logged-in page is active, enabling exfiltration of page data, DOM manipulation, unauthorized actions, and abuse of authenticated sessions. This is especially dangerous because the skill is explicitly designed to attach to a persistent browser containing user cookies and active accounts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Runtime package installation is broader than the stated browser-automation role and introduces unnecessary code-fetch-and-execute behavior. Because this skill already has access to a logged-in browser environment, adding dynamic dependency installation increases the attack surface and weakens deployment integrity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly positions the skill as a way for an agent to operate inside already-authenticated personal accounts, including reading inboxes, feeds, carts, and posting on social platforms, but it does not provide strong, prominent warnings about privacy exposure, unintended actions, or account consequences. In this context, documentation materially shapes how the tool is deployed; normalizing broad agent access to live logged-in sessions without clear consent and guardrail guidance increases the risk of credential misuse, data exfiltration, and unauthorized account actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The release notes explicitly position the skill as enabling AI agents to operate inside an already logged-in real browser session, but provide no warning about privacy exposure, account misuse, or irreversible actions that could occur under the user's authenticated context. In this skill context, that omission is more dangerous than usual because the product is specifically designed to let agents inherit powerful live sessions across services like email, social media, shopping, and enterprise sites.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Describing active tab persistence for follow-up read, click, and type operations without warning about unintended actions understates a real safety risk: subsequent agent commands may execute against the wrong authenticated page, modify data, send messages, place orders, or change account settings. Because this skill's core purpose is persistent browser control in a logged-in session, state confusion and silent continuation materially increase the chance of harmful real-world actions.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance is broad enough to trigger this skill for generic web-browsing requests, increasing the chance it is selected even when a lower-privilege fetch/read tool would suffice. In this context that is risky because this skill attaches to a persistent logged-in browser and supports state-changing actions, so over-selection can unnecessarily expose private account data or enable unintended authenticated interactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill openly supports reading from logged-in services such as Gmail, Outlook, Amazon, LinkedIn, Facebook, Instagram, and WeChat Web, and also posting to X, but does not pair those capabilities with prominent user warnings about privacy, consent, and account-impact. In a security context this is dangerous because the tool can access highly sensitive personal or business data and perform authenticated actions that may leak information, modify accounts, or create irreversible external effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The x-post command performs an authenticated posting action without any built-in confirmation, preview, or warning. In a logged-in browser bridge intended for agents, this makes unintended or malicious account actions easy to trigger and increases the chance of reputational damage, spam, or policy violations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal