gt-core-skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This Gumtree automation skill is not clearly malicious, but it should be reviewed because it can control a logged-in browser session and perform real account actions without strong guardrails.

Install only if you trust the publisher with a live Gumtree browser session. Use a test account where possible, avoid passing real passwords on the command line, disable the extension and bridge when not actively using them, and require explicit review before any message, favourite, logout, or post-ad action.

SkillSpector (22)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation advertises shell execution and a browser/WebSocket bridge, but it does not declare corresponding permissions or clearly constrain those capabilities. That mismatch weakens review and enforcement controls, making it easier for a skill with command execution and network access to perform actions beyond what users or the platform expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a significant description-to-behavior mismatch: the skill claims to provide narrow Gumtree workflows, but the underlying bridge appears capable of arbitrary navigation and JavaScript evaluation in the browser context. A generic browser-control channel can be abused to access unrelated sites, manipulate authenticated sessions, extract page data, or execute unintended actions well beyond the declared Gumtree use case.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The background script exposes a generic `evaluate` command over a WebSocket bridge and executes attacker-controlled JavaScript in the page's MAIN world via `Function(...)`. That exceeds the stated Gumtree automation scope and creates an arbitrary code execution primitive against any open Gumtree page, enabling scraping of private data, DOM manipulation, unauthorized actions, and abuse of the logged-in session.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: `mainWorldExecutor` uses `Function` on `params.expression`, which is direct dynamic code execution in the browser page context. Because commands arrive through the local bridge without demonstrated authentication or authorization, any process able to reach that socket can run arbitrary JavaScript on Gumtree pages in the user's session.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The manifest requests the powerful "debugger" permission even though the stated purpose is a Gumtree automation bridge for login, search, messages, and listing interactions. In a browser extension, debugger access can inspect and control page behavior far beyond normal content-script needs, so if background logic or a localhost bridge is compromised, this permission materially increases the ability to capture sensitive data or manipulate sessions.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file implements outbound message sending via `_send_message_if_requested` and `_SEND_MESSAGE_JS`, which can actively contact Gumtree users. If the manifest only declares message reading, the skill is over-privileged relative to its declared behavior, creating a consent and trust boundary violation that could lead to unauthorized user actions.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The detail-page flow clicks the page's Message button and can then send a message from a listing detail page, which is an outbound contact action beyond passive browsing. If this behavior is not clearly declared in the skill contract, users and calling agents may trigger real communications without informed consent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly shows a CLI login flow that accepts a username and password, but it provides no warning about handling secrets, storage expectations, redaction, or avoiding credential leakage in shell history and logs. In a browser-automation skill that bridges a local CLI, extension, and Chrome session, this increases the chance that users will pass real account credentials into an opaque automation path without informed consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation describes a `post-ad` capability that can perform account-affecting actions on Gumtree, including category selection and navigation into ad creation, but it does not warn that the skill can modify external account state. Because this skill operates a real browser session tied to the user's account, omission of mutation warnings makes unintended or socially engineered actions more dangerous.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README documents the ability to send Gumtree messages from the CLI but does not clearly warn that this causes real outbound communication to third parties from the user's account. In an agent-skill context, that omission is security-relevant because an agent or operator may treat the action as a read-only retrieval step and unintentionally contact sellers, creating privacy, spam, reputational, or policy risks.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README describes favourites and post-ad flows that modify account state, but it does not prominently warn that these commands perform live actions on the user's Gumtree account. In a browser-automation skill, insufficient disclosure increases the chance of unintended state changes such as favouriting listings or initiating ad-posting flows, which can confuse users, alter account history, or trigger platform-side effects.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill includes the ability to send Gumtree messages, but the documentation does not require explicit user confirmation immediately before a message is sent. In an agent setting, that creates a risk of unintended external communications, spam, disclosure of sensitive information, or actions taken on behalf of the user without clear consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The login command takes username and password as plaintext CLI arguments, and the documentation notes shell-history exposure without steering users toward safer handling. Credentials passed this way may be exposed via shell history, process listings, logs, or agent telemetry, increasing the chance of account compromise.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The extension automatically connects to `ws://localhost:9335` and accepts commands that can navigate tabs and execute actions without any user approval, prompt, or visible trust boundary. In the skill context, this is more dangerous because the extension is explicitly intended to control a real logged-in Gumtree session, so silent command acceptance enables covert browsing and account actions if the bridge is abused.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This finding reflects the same dangerous behavior as the arbitrary evaluation path: code from an external command source is executed in the page context with no safety interlocks, warnings, or confirmation. The lack of user-facing warning is not just a UX issue here; it hides a high-risk capability that can act with the user's Gumtree privileges and access page data invisible to ordinary extension worlds.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The login command accepts credentials directly via --username and --password, which commonly exposes secrets through shell history, process listings, logs, and higher-level orchestration telemetry. In an agent skill that automates a real browser session, this increases the risk of credential disclosure beyond the immediate user context.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The messaging commands can send arbitrary user-provided text without any explicit confirmation or friction, enabling accidental outbound messages or misuse by higher-level agents acting on ambiguous prompts. Because this skill operates a real logged-in marketplace account, unintended sends can create reputational harm, spam, or unwanted user commitments.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code automatically starts a background bridge server with no user-facing disclosure or consent, which can surprise users and expand the local attack surface. In a browser-automation skill, silently enabling a local websocket service is more sensitive because it may mediate browser actions and page data access.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill opens Chrome automatically when the extension is not connected, without an explicit warning or confirmation step. In this context, launching a real browser tied to an automation bridge can expose session state, trigger extension behavior, and surprise the user into interacting with a browser they did not knowingly authorize.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This function triggers a real state-changing action on a live Gumtree account by clicking the Favourite button, but it contains no in-function guardrail such as explicit user confirmation, dry-run mode, or policy check before mutating account state. In a browser automation skill, that increases the risk of unintended account actions if the agent is prompted ambiguously, invoked mistakenly, or chained from higher-level logic without a clear consent boundary.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The function returns logged-in user identifiers (`user_id` and `user_name`) taken from browser page data even though they are not required to display favourite listings. In an agent skill that automates a real logged-in browser session, exposing identity fields increases privacy risk, broadens downstream data access, and can leak personal information to callers, logs, or other components without clear minimization.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code sends messages immediately when a `message` argument is provided, without any built-in confirmation, preview, or warning in this file. That makes unintended outbound communication easier if an upstream agent misinterprets user intent or passes attacker-influenced content through to the browser automation layer.

Static analysis

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

Secret argv exposure

Critical

Finding: Instructions pass high-value credentials through process argv.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal