Back to skill

Security audit

Browse

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is mostly coherent, but it gives broad control over logged-in browsing through an unbundled local command and needs careful review before use.

Install only if you trust the `browse` CLI already installed on your machine. Use narrow, explicit instructions; prefer isolated sessions and test accounts; confirm before uploads, form submissions, purchases, account changes, public posts, or webhook reporting; treat auth-state files as secrets; and run `browse wipe` or close sessions after sensitive browsing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list is extremely broad and includes generic phrases like 'check the page', 'QA', and 'healthcheck', which can cause the browser automation skill to activate in contexts where real web interaction was not intended. Because this skill can navigate, upload files, persist auth state, and send data externally, accidental invocation expands the chance of unintended network actions and data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that cookies, localStorage, and auth tokens persist across commands within a session, but it does not prominently warn that sensitive authenticated state may be retained and reused. In an agent setting, this increases the risk of cross-task leakage, unintended actions under a prior identity, and mishandling of sensitive session material.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented `upload @eN <file>` capability can transfer local file contents from the agent environment to remote websites, yet there is no warning about the risk of exfiltrating sensitive local data. In a browser automation skill, this is especially dangerous because uploads are a direct outbound data channel that may be triggered on untrusted sites.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `--webhook` options for flows and healthchecks enable sending execution results to arbitrary external endpoints, but the documentation does not warn that this transmits data off-host. This creates an exfiltration path for screenshots, reports, URLs, page contents, or other potentially sensitive test artifacts when used by an agent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `auth-state save/load` commands create and reuse portable authentication artifacts that can grant access without re-entering credentials, yet the skill provides no warning about their sensitivity. If these files are stored insecurely, reused across tasks, or loaded into the wrong session, they can enable account compromise or unauthorized access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.