Oathe Security Badge

Is skills/browser-automation-stealth safe?

https://clawhub.ai/skills/browser-automation-stealth

70
CAUTION

This browser automation skill accessed multiple sensitive credential files during installation, including SSH keys and cloud service credentials. While the skill files themselves contain only documentation and no executable code, the installation process exhibited concerning behavior that could indicate potential credential harvesting.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 50/100 · 10%
Canary Integrity 70/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (3)

HIGH Sensitive credential files accessed during installation -60

The skill installation process accessed multiple sensitive credential files including SSH private keys, AWS credentials, environment files, Docker configs, and Google Cloud credentials. While these files were not modified, unauthorized access to credential files poses a significant security risk.

MEDIUM Unexpected network connections during installation -50

Multiple HTTPS connections were established to external hosts during the installation process, including connections beyond the expected ClawHub API. This could indicate data transmission to external servers.

LOW External URL references -5

The skill documentation contains references to external URLs including a GitHub repository and support documentation. While these appear benign, they represent potential external dependencies.