Plasmate

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill appears purpose-aligned, but it should be reviewed because installation and helper use can execute downloaded code and leave a local automation server running.

Install only if you trust Plasmate and its distribution channel. Prefer `cargo install plasmate` or inspect and verify any installer before running it. Use a virtual environment for the Python helper, be aware it may install `websockets`, and check for/stop any Plasmate server left running on port 9222. Avoid letting it click or type on sensitive websites without explicit confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (8)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import websockets except ImportError: print("Installing websockets...", file=sys.stderr) subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "websockets"]) import websockets
Confidence: 95% confidence
Finding: subprocess.check_call([sys.executable, "-m", "pip", "install", "-q", "websockets"])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill advertises shell-based installation and browser/server capabilities but does not declare permissions, creating a mismatch between what the skill can do and what users or policy systems can evaluate up front. In agent ecosystems, undeclared shell or MCP-style capabilities can lead to unexpected command execution or network-facing behavior without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Installing dependencies dynamically at runtime is beyond the normal scope of a browsing client and causes unannounced environment mutation. If package indexes, mirrors, or dependency resolution are compromised, the script could pull and execute untrusted code during normal use.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The install instructions tell users to pipe a remotely fetched script directly into the shell without any warning or verification step. This is dangerous because compromise of the hosting domain, TLS termination, or the script itself would immediately translate into arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script performs a silent pip install with minimal warning, causing unexpected system modification and execution of installer logic. In an agent-executed environment, this weakens operator control and increases supply-chain risk because a simple import failure leads to networked package retrieval and installation.

External Script Fetching

High

Category: Supply Chain
Content: { "id": "shell", "kind": "shell", "command": "curl -fsSL https://plasmate.app/install.sh | sh", "bins": ["plasmate"], "label": "Install Plasmate (pre-built binary)", },
Confidence: 97% confidence
Finding: curl -fsSL https://plasmate.app/install.sh | sh

External Script Fetching

High

Category: Supply Chain
Content: cargo install plasmate # Or use the install script curl -fsSL https://plasmate.app/install.sh | sh ``` ## Protocols
Confidence: 97% confidence
Finding: curl -fsSL https://plasmate.app/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: cargo install plasmate # Or use the install script curl -fsSL https://plasmate.app/install.sh | sh ``` ## Protocols
Confidence: 95% confidence
Finding: | sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal