Web Access.Bak

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed but very powerful browser-control tool that can act through your logged-in Chrome session without strong user-approval boundaries.

Install only if you intentionally want an agent to control a real browser session. Prefer a separate Chrome profile or low-privilege account, disable remote debugging when finished, stop the proxy when not in use, and require explicit approval before uploads, posts, purchases, deletions, account changes, or browsing sensitive logged-in sites.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill directs the agent to execute shell commands (`bash`, `curl`, `ls`, `sed`) but does not declare corresponding permissions or clearly constrain that capability. In a security-sensitive agent framework, undeclared shell access expands the actual authority of the skill beyond what users and policy tooling can reliably reason about, increasing the chance of unintended command execution or local system interaction.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill is presented as handling web/network access, but it also instructs the agent to enumerate and read local `references/site-patterns` files. This creates hidden local data-access behavior outside the advertised purpose, which can be abused to exfiltrate or manipulate local knowledge files under the guise of normal web activity.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to persist and update per-site knowledge on disk as part of routine operation, even though the stated purpose is web access. Unnecessary local persistence creates integrity and privacy risks: future runs may trust poisoned notes, and browsing-derived data may be stored indefinitely without user awareness.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The document claims minimal intrusion into the user's environment, yet elsewhere directs the agent to create or modify local files. This mismatch can mislead users and reviewers about the real side effects of using the skill, causing consent and trust failures around local state changes.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The /eval endpoint accepts arbitrary JavaScript and runs it inside the user's existing Chrome session, which inherits the user's authenticated cookies, page context, and DOM access. In this skill context, that goes well beyond ordinary web access or page retrieval and enables full session abuse, data extraction, and state-changing actions on any site the user is logged into.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The /setFiles endpoint can programmatically attach arbitrary local files to web pages through file inputs, effectively bridging local filesystem contents into remote websites. In a web-access skill, this is especially dangerous because it can exfiltrate sensitive local documents or upload files on behalf of the user without a clear, explicit consent boundary.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The /screenshot endpoint can write captured browser content to any filesystem path supplied by the caller, creating an arbitrary file write primitive within the privileges of the proxy process. While the content is image data, this still enables unauthorized local persistence, overwriting user files, and storing sensitive page captures outside expected browser-only operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly promotes using a proxy to control the user's normal Chrome session with existing login state, which can access private data and perform authenticated actions. Because it presents powerful browser automation without prominent warnings, consent requirements, or safeguards around account-impacting actions, it materially increases the risk of unauthorized posting, data exposure, and destructive interactions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The usage examples include account-targeted and publishing actions such as searching platform accounts and posting on a creator platform, but they do not warn that these actions may be irreversible or affect real user accounts. In the context of a skill designed for agents, examples strongly shape behavior, so omitting warnings makes unsafe autonomous execution more likely.

Vague Triggers

High

Confidence: 89% confidence
Finding: The trigger scope is extremely broad, effectively routing nearly any network-related task through a highly privileged web/browser skill. Overbroad activation increases the blast radius of mistakes and makes it easier for unrelated prompts to invoke shell, browser automation, login-state access, and local file behaviors unnecessarily.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly exposes an API for setting arbitrary local file paths into a browser file input and emphasizes that it bypasses the file dialog entirely. In a web-access skill, this lowers an important user-consent boundary and can enable unintended disclosure of sensitive local files to remote sites if the capability is used without strict confirmation and path restrictions.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The screenshot API supports writing captured page content directly to an arbitrary local file path, but the docs do not warn that this persists potentially sensitive data to disk. In a browser automation skill, screenshots may contain credentials, personal data, or session information, so silent disk writes create avoidable privacy and retention risks.

Missing User Warnings

High

Confidence: 99% confidence
Finding: This endpoint provides direct arbitrary JavaScript execution over HTTP in the user's logged-in browser context with no confirmation, warning, or action-specific guardrails. Because the skill is intended for web access using the user's real browser, the absence of explicit consent makes silent account manipulation and private data extraction especially dangerous.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The /clickAt endpoint dispatches browser-level mouse events specifically to simulate trusted user gestures and the comments explicitly note it can trigger file dialogs and bypass anti-automation checks. That is a strong indicator of behavior designed to circumvent normal safety boundaries and can be used to activate sensitive UI actions without meaningful user awareness.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This endpoint silently sets local files on file inputs without any explicit disclosure or approval workflow, allowing uploads from the local machine into remote web applications. In combination with access to the user's real Chrome session, this creates a serious risk of covert local data exfiltration and unauthorized submission actions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The screenshot endpoint can persist captured page images to arbitrary local paths without explicit warning, which may store sensitive authenticated content from the user's browser session in unexpected locations. This is less severe than code execution but still expands the skill from browser access into undisclosed local file system effects.

Ssd 4

Medium

Confidence: 84% confidence
Finding: The guidance explicitly normalizes adapting behavior to overcome site obstacles, login walls, and anti-bot controls rather than treating them as policy boundaries. In the context of a browser-automation skill with login-state access, this increases the risk of unauthorized access patterns, terms-of-service violations, and collection of data that a site is intentionally trying to restrict.

Ssd 2

Medium

Confidence: 82% confidence
Finding: The skill recommends switching from programmatic access to GUI-style interactions when sites resist automated behavior because it is less likely to trigger defenses. That is effectively guidance for stealthier circumvention of detection controls, which is risky in a web-access skill already capable of acting through the user's authenticated browser.

Ssd 2

Medium

Confidence: 87% confidence
Finding: The skill advises preserving session-related parameters and interpreting access failures as signals to recover missing context needed to get through protections. In practice, this encourages replay of authenticated or anti-bot tokens and deeper attempts to defeat access checks, which can extend the agent's reach into guarded content.

External Transmission

Medium

Category: Data Exfiltration
Content: | 非公开内容，或已知静态层无效的平台（小红书、微信公众号等公开内容也被反爬限制） | **浏览器 CDP**（直接，跳过静态层） | | 需要登录态、交互操作，或需要像人一样在浏览器内自由导航探索 | **浏览器 CDP** | 浏览器 CDP 不要求 URL 已知——可从任意入口出发，通过页面内搜索、点击、跳转等方式找到目标内容。WebSearch、WebFetch、curl 均不处理登录态。 **Jina**（可选预处理层，可与 WebFetch/curl 组合使用，由于其特性可节省 tokens 消耗，请积极在任务合适时组合使用）：第三方网络服务，可将网页转为 Markdown，大幅节省 token 但可能有信息损耗。调用方式为 `r.jina.ai/example.com`（URL 前加前缀，不保留原网址 http 前缀），限 20 RPM。适合文章、博客、文档、PDF 等以正文为核心的页面；对数据面板、商品页等非文章结构页面可能提取到错误区块。
Confidence: 90% confidence
Finding: curl 均不处理登录态。 **Jina**（可选预处理层，可与 WebFetch/curl 组合使用，由于其特性可节省 tokens 消耗，请积极在任务合适时组合使用）：第三方网络服务，可将网页转为 Markdown，大幅节省 token 但可能有信息损耗。调用方式为 `r.jina.ai/example.com`（URL 前加前缀，不保留原网址 http 前缀），限 20 RPM。适合文章、

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal