Neomano Web Snapshot (Headless)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal headless website screenshot skill with disclosed local dependency installation and no evidence of hidden credential use, persistence, or data theft.

Install only if you are comfortable with the setup downloading Playwright/Chromium and with the tool visiting requested URLs from your machine. Avoid capturing sensitive internal sites unless intended, and keep screenshot output paths local and non-sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The bootstrap script writes a new package.json and then performs dependency resolution and browser binary installation over the network with no explicit warning, consent, integrity pinning, or offline/locked mode. In an agent-skill context, this increases supply-chain and unexpected side-effect risk because simply preparing the skill can modify the workspace and fetch executable code and large binaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal