Back to skill

Security audit

Cua Driver

Security checks across malware telemetry and agentic risk

Overview

This is a powerful desktop and browser automation skill that mostly matches its purpose, but it includes under-warned high-impact browser changes, real-profile browser control, and remote installer execution.

Install only if you intentionally want an agent to control real desktop apps and browser sessions. Review the driver installer source and integrity before running the documented one-liners, avoid using real logged-in browser profiles for CDP or JavaScript automation when an isolated profile will work, and be careful with recording because it can save sensitive screen contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The documented JavaScript backend extends the skill from GUI automation into browser/Electron DOM and runtime inspection, including access to page text, structured DOM queries, and some Electron process metadata. In an agent context, that broadens data-access capability beyond what a user may expect from a GUI-driving skill and can expose sensitive page contents or local runtime information if invoked on the wrong target.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section instructs the agent to directly modify Chromium-family browser profile preference files to enable a security-sensitive capability, and even discusses syncing the change so it becomes durable. That exceeds a GUI-driving skill's stated scope and can silently weaken the user's browser security posture beyond the immediate task, including persistence across sessions and potentially across devices.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guidance enables remote debugging on a user's real logged-in Chrome profile and connects through CDP, which exposes a powerful browser-control interface outside the core background GUI-driving use case. If misused, it can grant broad access to tabs, DOM contents, cookies/session context, and privileged browser automation against the user's real browsing session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly documents background input injection, screenshot capture, and session recording on a real host without an accompanying warning about privacy, consent, or the risk of affecting other applications outside the user's immediate awareness. Because the tool can operate without bringing windows to the foreground, it increases the chance of covert interaction, unintended data capture, or modification of live applications, making the missing safety guidance a real security concern.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to execute a shell command that downloads and immediately runs a remote script via curl|bash, without any warning or verification guidance. This is dangerous because it grants the remote endpoint full code-execution on the host, and this skill is specifically for GUI automation on the local machine, so compromise would directly affect the user's workstation and potentially any apps/data the agent can reach.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The PowerShell install command uses irm ... | iex, which downloads remote content and executes it immediately, again without an explicit warning. On Windows this creates the same remote-code-execution risk, and because the driver is meant to control native applications, a compromised installer could abuse broad local access and user trust in the automation tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This repeats the curl|bash installer pattern for Linux/macOS without disclosing that the command executes remote code. Repetition in multiple sections increases the chance users will normalize unsafe installation behavior, and in the context of a host-automation skill, successful compromise would affect a system the agent is intended to manipulate.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Install section repeats both the Unix and Windows remote-execution one-liners without warning, reinforcing an unsafe pattern. Although likely intended as convenience documentation rather than malicious code, it still conditions users to run unverified downloaded scripts and exposes them to supply-chain or server-compromise scenarios.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that recording captures every action call and, by default, records the main display for the session, but it does not explicitly warn that the saved artifacts can contain sensitive GUI contents, typed input, credentials, personal data, or secrets shown on screen. In a GUI automation skill, this omission is security-relevant because users may enable recording for demos or regression runs without realizing they are creating durable local artifacts containing highly sensitive data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises itself for any request to 'operate, drive, automate, or perform a GUI task in a real application on the host,' which is very broad and can cause over-invocation on sensitive host-side actions. Because this skill can launch apps, inspect windows, type, click, and interact with real user applications, an overly loose trigger increases the chance an agent routes ordinary requests into powerful GUI automation without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
These instructions modify browser preference files and application state without a clear, prominent warning that the agent is changing a protected local browser configuration. Hidden or underexplained security-setting changes undermine informed consent and can leave persistent capabilities enabled after the task completes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Safari guidance automates clicking through a security confirmation dialog to enable JavaScript from Apple Events, but does not require an explicit warning or consent flow explaining that a protected browser security control is being changed. Automating approval of a security dialog is especially risky because it bypasses the friction intended to ensure deliberate user authorization.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation text says to use this skill whenever a user asks to operate or automate a real Windows application on the host, which is very broad and can cause the agent to select a high-impact GUI automation capability in many situations without tighter gating. In a host-level automation skill, overbroad routing increases the chance of unintended interaction with sensitive apps, destructive actions, or privacy-impacting access if user intent is ambiguous or indirect.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
the DOM directly via Apple Events. Requires "Allow JavaScript from
Apple Events" to be enabled — see `WEB_APPS.md` for the setup path.

**Three actions on the `page` tool:**

- `page({pid, window_id, action: "get_text"})` — returns
  `document.body.innerText`. Fastest way to read page content, prices,
Confidence
88% confidence
Finding
tool:*

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.