Back to skill

Security audit

AI Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it uses a persistent logged-in browser daemon with broad local recovery actions and sensitive local artifacts that deserve review before installation.

Install only if you are comfortable sending prompts, pasted code, and stdin content to DeepSeek through an automated logged-in browser. Use a dedicated DeepSeek account/profile, keep the skill directory private, clear `.profile/`, `.sessions/`, and `.diagnostics/` when finished, and avoid the broad recovery commands unless you have checked they will not stop unrelated Puppeteer or Chrome work. Prefer manual daemon start over boot persistence unless you specifically want this browser session to keep running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code invokes `pm2 restart deepseek-daemon` as part of automatic recovery, giving a chat-orchestration tool the ability to control an external process manager. That exceeds the minimum capability needed to query DeepSeek and can let normal skill execution restart host services unexpectedly, especially if PM2 manages other workloads under the same account.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
`killChromeProcessesForProfile` enumerates and SIGKILLs Chrome processes matching a profile path, then deletes Chrome-related files under `/dev/shm` and `/tmp` using shell commands. This is a host-management and destructive recovery action that can disrupt unrelated browser sessions and removes files outside the app's private directory.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly promotes persistent sessions and a Chrome profile directory that retains cookies and chat context, but it does not clearly warn operators that sensitive prompts, authentication state, and browsing artifacts may remain on disk. In an agent skill context, silent persistence increases the risk of unintended data retention, cross-task leakage, or later exfiltration from the workspace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The crash-diagnostics section states that full page screenshots and HTML are written to disk, which can capture prompts, model outputs, tokens, cookies, account state, and other sensitive page contents. Because this is browser automation against an authenticated AI service, diagnostic dumps materially raise the chance of sensitive data being stored unredacted in the local environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill metadata and usage guidance are broad enough to attract generic code analysis, review, generation, and text tasks, which can cause this browser-automation skill to be invoked in situations where users may not expect their data to be sent to an external third-party service. That scope creep increases the chance of inappropriate routing of sensitive source code or documents through DeepSeek without explicit consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document describes piping prompts and code into the tool but does not prominently warn that all such content is transmitted to an external DeepSeek service via browser automation. This creates a real confidentiality and privacy risk because users or calling agents may forward sensitive code, credentials, customer data, or internal documents without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The diagnostics object stores `promptPreview: q.substring(0, 80)` and later writes summary/metrics files, which can persist user prompt content to disk without clear consent. Prompts often contain secrets, proprietary code, or personal data, so even partial prompt capture creates a local data exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints full model outputs to stdout and saves screenshots/HTML/diagnostic summaries on errors, which can expose sensitive response data to terminal logs, CI logs, shared shells, or local disk. In this skill's context, responses may include code, credentials, internal analysis, or private text sent to DeepSeek, increasing confidentiality risk.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script automatically executes `pm2 restart deepseek-daemon` based on health-check outcomes, which can disrupt service and alter system state without interactive confirmation or external authorization checks. In this skill's context, the script controls a persistent browser automation daemon, so false positives, manipulated endpoint state, or transient page/login/CAPTCHA conditions could trigger repeated restarts and create avoidable denial-of-service or operational instability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The daemon writes the live Puppeteer browser WebSocket endpoint to predictable local files, and that endpoint grants full DevTools control over the browser instance. In this skill’s context, the browser is authenticated to DeepSeek via a persistent profile, so any local user or process that can read the file may hijack the session, inspect page data, execute arbitrary browser actions, and potentially access sensitive prompts or account content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script enables PM2 startup persistence, which changes system behavior beyond the current shell session and can cause the daemon to restart automatically on boot. While this appears intended for convenience rather than abuse, doing so without an explicit warning or confirmation reduces user awareness and may lead to unintended long-lived background execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
ask-puppeteer.js:112

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
daemon-healthcheck.js:239

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
ask-puppeteer.js:1258