Back to skill

Security audit

Amazon Screenshot

Security checks across malware telemetry and agentic risk

Overview

This Amazon screenshot skill does what it advertises, but it uses stealth browser automation, stored browser sessions, and an embedded email password that users should review carefully before installing.

Install only in an environment where you trust the publisher and the shared Amazon and MOSS email accounts. Rotate or remove the embedded SMTP password, use a dedicated low-privilege Amazon browser profile, confirm screenshots do not expose account or address details, and ensure the stealth/verification behavior is authorized for the sites being accessed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The dependency set includes `playwright-extra-plugin-stealth`, which is specifically designed to evade bot detection rather than simply render pages for screenshots. In the context of a screenshot skill that also mentions automatic human-verification clicking, this expands the tool from ordinary browser automation into anti-detection automation, increasing the risk of bypassing site protections and enabling misuse against third-party services.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill injects a broad stealth script to hide browser automation indicators such as navigator.webdriver, plugins, languages, and Selenium/PhantomJS markers. For a screenshot utility, this goes beyond normal rendering needs and is explicitly designed to evade site bot detection, increasing the risk of policy bypass and deceptive automated access to third-party services.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code runs a local shell command with embedded Python to inspect /tmp/.X11-unix sockets and identify another user's active X display. That is unnecessary for a simple screenshot pipeline and expands the attack surface by probing local system state and coupling the skill to potentially sensitive desktop sessions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The description says the ZIP will be sent to a user-provided Feishu email, but the implementation rejects any address not ending in @campsnail.com. This mismatch can redirect outputs only to an internal domain and creates a trust and data-handling issue because users are misled about who can receive captured content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends screenshots through email and preserves browser profile data, but the description omits privacy and retention warnings. In this context, screenshots can contain account, address, or session-derived personal/business data, and persistent profile storage increases the risk of cross-task leakage or unauthorized reuse.

Missing User Warnings

High
Confidence
100% confidence
Finding
Hardcoded SMTP credentials are embedded directly in the script, exposing reusable email infrastructure secrets to anyone with code access. If leaked or abused, an attacker could send mail as the configured account, access internal mail workflows, or use the account for phishing and data exfiltration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill uses a persistent Chrome profile to preserve login state, meaning it may access cookies, authenticated sessions, and other saved browsing data without clear disclosure. In this context, that makes the screenshot tool capable of acting with an existing user's privileges on Amazon and potentially other sites reachable from the shared profile.

Unpinned Dependencies

Low
Category
Supply Chain
Content
{
  "dependencies": {
    "nodemailer": "^8.0.7",
    "playwright": "^1.59.1",
    "playwright-extra": "^4.3.6",
    "playwright-extra-plugin-stealth": "^0.0.1"
Confidence
93% confidence
Finding
"nodemailer": "^8.0.7"

Unpinned Dependencies

Low
Category
Supply Chain
Content
{
  "dependencies": {
    "nodemailer": "^8.0.7",
    "playwright": "^1.59.1",
    "playwright-extra": "^4.3.6",
    "playwright-extra-plugin-stealth": "^0.0.1"
  }
Confidence
93% confidence
Finding
"playwright": "^1.59.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "nodemailer": "^8.0.7",
    "playwright": "^1.59.1",
    "playwright-extra": "^4.3.6",
    "playwright-extra-plugin-stealth": "^0.0.1"
  }
}
Confidence
94% confidence
Finding
"playwright-extra": "^4.3.6"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"nodemailer": "^8.0.7",
    "playwright": "^1.59.1",
    "playwright-extra": "^4.3.6",
    "playwright-extra-plugin-stealth": "^0.0.1"
  }
}
Confidence
96% confidence
Finding
"playwright-extra-plugin-stealth": "^0.0.1"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/screenshot.js:36