Back to skill

Security audit

browser-auto-download

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed browser-based downloader that saves files locally and has an optional local debug mode, with no evidence of hidden uploads, persistence, or destructive behavior.

Install only if you need browser automation for difficult download pages. Use trusted URLs, review the saved filename and source before opening anything, verify installers or archives before running them, avoid using --debug on logged-in or sensitive pages, and delete the debug folder if you create it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly performs network access and writes files to disk, yet the manifest shown in the markdown declares no permissions. In an agent ecosystem, missing capability declarations weaken user consent and policy enforcement, allowing a skill to download and persist files without transparent authorization.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose understates additional behaviors such as saving screenshots/HTML/page text in debug mode and including hardcoded site-specific download routines. This mismatch is risky because users may approve a downloader without realizing it can also capture page contents to disk, which may include sensitive data from authenticated or internal pages.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
When debug mode is enabled, the skill writes a full screenshot, raw HTML, and extracted page text to disk. Because this browser is pointed at arbitrary URLs, those artifacts can capture sensitive page data such as tokens, account information, internal content, or personal data that are unrelated to the download task, creating unnecessary local data exposure and persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick start encourages immediate use of a browser automation tool that can trigger downloads automatically and write files to disk, but it does not warn users about that behavior or recommend validating the source URL and downloaded content. In a skill specifically designed to navigate pages and auto-initiate platform-specific downloads, this omission increases the chance of users downloading and executing untrusted binaries without understanding the risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation describes extensive browser automation, remote navigation, event capture, and download handling but omits a privacy/network disclosure. Users may not realize the skill will contact third-party websites, execute client-side content in a browser context, and potentially expose metadata such as IP address, user agent, cookies, and download behavior to external services.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The documentation describes extensive browser automation, remote navigation, event capture, and download handling but omits a privacy/network disclosure. Users may not realize the skill will contact third-party websites, execute client-side content in a browser context, and potentially expose metadata such as IP address, user agent, cookies, and download behavior to external services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Although the skill is a downloader, the description does not prominently warn that it will automatically retrieve and save files to the local system. Automatic file persistence changes disk state and can introduce malicious or unwanted executables into the environment, especially when browsing untrusted download pages.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly promotes a debug mode that stores full-page screenshots, raw HTML, and extracted text, but it provides no warning that these artifacts can capture credentials, session tokens, personal data, internal URLs, or other sensitive page content. In the context of a browser automation skill that visits arbitrary download pages, this increases the chance that users will unintentionally persist sensitive data to disk where it may be exposed to other local users, backups, or logs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script saves downloaded files directly into the user's Downloads or chosen output directory without an explicit confirmation step, provenance check, or safety gate. In the context of a browser automation skill designed to follow links and trigger downloads from arbitrary sites, this increases the risk of silently placing untrusted executables or archives on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The debug workflow persists screenshot, HTML, and body text to disk with only stderr messaging, not a clear consent prompt or prominent warning that page contents will be retained. Since the skill may browse login-gated or personalized pages, this can store sensitive session-specific content and increase forensic exposure on the local machine.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"python": ">=3.8"
  },
  "dependencies": {
    "playwright": "^1.40.0"
  },
  "devDependencies": {},
  "openclaw": {
Confidence
88% confidence
Finding
"playwright": "^1.40.0"

Known Vulnerable Dependency: playwright==1.40.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
95% confidence
Finding
playwright==1.40.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.