Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate browser automation skill, but it gives an agent powerful access to accounts, browser sessions, local files, and downloads without enough default limits or warnings.

Install only if you intentionally need agent-driven browser automation. Use an isolated browser profile, avoid attaching to your normal Chrome session, pin or verify the npm package, enable domain/action/output limits, and require explicit approval before logging in, saving auth state, using file:// access, uploading files, downloading content, or submitting account-changing forms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The command reference includes an auth vault that stores credentials and can replay them for login, which materially expands the skill from simple page interaction into secret handling and account access. In an agent context, this increases the risk of credential misuse, unintended persistence, and compromise of third-party accounts if profiles or logs are exposed.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documented eval command allows arbitrary JavaScript execution in the browser context, which is a more powerful capability than ordinary clicking, scraping, or form filling. That can be used to inspect page state, manipulate DOM flows, or access sensitive in-session data exposed to the page, making the skill broader and riskier than its stated purpose suggests.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Connecting to an existing Chrome instance via CDP lets the skill control a user's live browser session rather than an isolated automation session. This can expose authenticated tabs, cookies, open documents, and active workflows, creating a severe boundary break with high risk of data theft or unauthorized actions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Allowing file:// access extends the browser automation surface from web content to local filesystem content. In an agent setting, this can enable reading sensitive local documents or loading local resources into a context the agent can then inspect, which is significantly broader than the manifest's web-interaction description.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is extremely broad and can trigger on many normal web-related tasks, increasing the chance that an agent invokes a powerful browser automation capability when a narrower or safer tool would suffice. In this context, the skill can navigate sites, fill forms, log in, persist state, and download data, so over-triggering meaningfully expands the attack surface for prompt injection, unintended credential entry, and unauthorized web actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly demonstrates credential entry, session/state persistence, and file output without corresponding warnings about secrets handling, storage protection, retention, or safe destination controls. In a browser-automation skill, this is particularly risky because agents may process live credentials, authenticated cookies, downloaded files, and extracted page content that can contain sensitive data or malicious prompt-injection content.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples show piping a password into auth save without any warning about secret exposure, storage risks, or shell history/logging concerns. Even if stdin avoids some exposure, users and agents may still mishandle credentials, persist them insecurely, or replay them in inappropriate contexts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: State save/load examples omit that saved browser state may contain cookies, localStorage, and other session artifacts that can authenticate a user. Without warnings, operators may store, transfer, or reuse these files insecurely, leading to session hijacking or unintended account access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The local file access example lacks any warning that enabling file:// browsing can expose local filesystem contents to the automation tool. In an agent workflow, that omission raises the chance of accidental access to sensitive local documents outside the expected web scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal