Cloudflare Browser Rendering

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but users should be careful because optional cookies and login credentials would be sent to Cloudflare for rendering.

Install if you need Cloudflare-based rendering or crawling. Use a least-privilege Cloudflare token, keep crawl depth and limits small, and avoid passing real session cookies, passwords, or private HTML unless you explicitly intend to send that data to Cloudflare and have a plan for logs and saved outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation explicitly encourages use of session cookies and username/password authentication JSON for rendered requests, but it does not warn users about the sensitivity of these credentials or the privacy risks of sending them to third-party pages and APIs. In this context, the skill is more dangerous because it is a browser-rendering and crawling tool that can forward authenticated state to remote content and may save outputs, increasing the chance of credential misuse, leakage, or accidental collection of private data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal