Back to skill

Security audit

Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it grants broad browser, session, credential-adjacent, and persistence capabilities with weak default containment.

Install only if you need powerful browser automation and trust the external CLI. Use test or isolated browser profiles, enable domain allowlists, action policies, content boundaries, and output limits before agent use, avoid importing your everyday logged-in browser, encrypt or promptly delete state files and recordings, and do not use proxy rotation to bypass site limits or access restrictions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The command reference explicitly exposes arbitrary JavaScript execution via `agent-browser eval -b` and `agent-browser eval --stdin`, allowing unrestricted code to run in the browser context. In an agent-facing browser automation skill, this materially expands capability beyond simple navigation and form interaction, enabling DOM manipulation, data extraction, and abuse of authenticated sessions in ways that are harder to constrain or audit.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is extremely broad for a high-capability browser automation skill, making accidental or inappropriate invocation more likely. In this context, over-triggering is dangerous because the skill can navigate arbitrary sites, interact with authenticated sessions, access clipboard data, and perform stateful actions without restrictions by default.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents exporting browser auth state and explicitly notes that state files contain session tokens in plaintext, but it frames this as an operational detail rather than a strong security warning. Because this skill is intended for AI-driven browser automation, leaked state files could enable session hijacking and unauthorized access to user accounts across websites.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes clipboard read and write operations without emphasizing that the clipboard may contain passwords, API keys, personal data, or other secrets copied outside the current task. In an agent context, silent clipboard access expands the boundary of accessible sensitive data beyond the website being automated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill presents local file access via file:// as a normal workflow without a strong warning about exposure of local documents, PDFs, HTML files, and potentially sensitive system data. In an AI agent setting, enabling browser access to local files can materially increase the risk of unintended data disclosure from the host environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to capture and persist full Chrome trace data to local JSON files, but it does not warn that traces can include sensitive browsing metadata such as visited URLs, timing of authenticated actions, page structure details, and potentially user-input or app-specific identifiers exposed through performance events. In a browser automation skill that may be used for logins, form filling, and testing authenticated applications, this omission increases the risk that operators collect, retain, or share sensitive trace artifacts without realizing their contents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows authenticated proxy URLs with embedded usernames and passwords in environment variables and connection strings, but does not warn that these secrets may be exposed through shell history, process listings, logs, CI output, or copied config snippets. In a browser-automation skill, proxy credentials often grant access to corporate egress infrastructure or paid proxy networks, so disclosure can lead to unauthorized network access, traffic interception, or service abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation shows saving and reloading authenticated browser state, which can include cookies and other session artifacts that effectively act as bearer tokens. Although the file later notes that state files contain auth tokens, this example itself normalizes persisting sensitive session material without an immediate warning, increasing the chance that users store it insecurely or reuse it across trust boundaries.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The authenticated session reuse example uses USERNAME and PASSWORD variables and persists the resulting authenticated state, but does not directly warn about secure credential sourcing or the sensitivity of the resulting state file. In an agent/browser automation context, this can encourage unsafe practices such as pulling credentials from shell history, environment leakage, logs, or leaving long-lived authenticated state on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages recording browser sessions for debugging, documentation, and CI evidence but never warns that videos may capture sensitive on-screen data such as credentials, session details, personal data, or internal application content. In the context of a browser automation skill, this omission is more dangerous because the examples explicitly include login flows and test artifacts, increasing the likelihood that recordings are stored, shared, or uploaded with secrets visible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The template always saves a screenshot to /tmp/form-result.png after form interaction, which can capture completed forms, confirmation pages, or other sensitive data such as personal information, credentials, or uploaded-document metadata. In an agent-browser skill, this is more dangerous because the workflow is explicitly designed to automate form filling, so operators may use it on login, signup, payment, or internal business forms without realizing the data is being persisted to disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.