Security audit

Auto Captcha Solver

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it automates CAPTCHA solving and submits forms by default, so users should review it carefully before use.

Install only if you need CAPTCHA handling for systems you own, administer, or are explicitly authorized to test. Set autoSubmit to false unless you deliberately want form submission, avoid using it against third-party anti-bot controls, and do not configure fallbackVision with an external provider unless you are comfortable sending CAPTCHA images to that provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The optional fallbackVision hook receives the raw captcha image buffer, a preprocessed buffer, and top OCR candidates, which can allow a caller to send captcha content to an external provider. That creates a real data-disclosure boundary crossing because the function exposes challenge images and derived metadata without any built-in consent, allowlisting, or locality controls.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code automatically submits a solved CAPTCHA by pressing Enter or clicking a submit element with no confirmation or policy gate. In a browser automation skill specifically designed to bypass CAPTCHA challenges, this increases the risk of unauthorized automated account creation, scraping, or abuse because the human decision point is removed.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The function screenshots the CAPTCHA image and passes the image buffer to solveCaptchaImage, which may involve OCR or an external solving service, without any user disclosure, consent control, or destination restriction in this file. Capturing and transmitting challenge images can expose page data to third parties and facilitates CAPTCHA bypass in contexts where such automation is prohibited.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The Selenium path captures a screenshot of the CAPTCHA element and forwards it to the solver with the same lack of disclosure and control as the Playwright/Puppeteer path. In this skill's context, the feature is intended to overcome anti-automation checks, so the absence of user-facing consent and governance materially increases abuse potential.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The package metadata explicitly identifies the skill as an automated CAPTCHA solver, which is designed to bypass a common anti-abuse and access-control mechanism during browser automation. In this skill context, that purpose makes the capability more dangerous rather than less, because it facilitates scaling automated access through controls that many services rely on to deter bots, fraud, account abuse, and policy violations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code path can hand captcha images and OCR-derived candidate data to an external vision hook without any user-facing disclosure or warning in the API behavior itself. In browser automation contexts, that can silently transmit challenge content or related session context to outside services, creating privacy, compliance, and trust risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal