Security audit

Steel Browser

Security checks across malware telemetry and agentic risk

Overview

This cloud-browser automation skill is coherent, but it needs review because several command wrappers can turn crafted inputs into local Python code execution.

Install only after review. Do not pass untrusted page text, model-generated selectors, URLs, filenames, or JavaScript into these scripts until argument handling is fixed. Avoid using it on sensitive or regulated accounts unless you accept Steel.dev processing the browser session, page content, screenshots, and interactions; keep the API key protected and release sessions when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill documents use of environment variables and persistent local state (`STEEL_API_KEY`, `~/.steel_state`) but does not declare corresponding permissions. That mismatch can bypass least-privilege expectations and cause an agent or operator to grant or use filesystem and secret access without explicit review.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The description is broad enough to match many ordinary browsing tasks, including scraping, form filling, and automation loops, without clear boundaries or approval conditions. This increases the chance the skill is invoked in contexts involving sensitive sites or user data when a narrower tool would be safer.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly supports screenshots, scraping, form filling, residential proxies, and CAPTCHA solving, but does not warn about privacy, legal, or data-handling implications. In practice, this enables collection or transmission of sensitive webpage contents, credentials, session data, or personal information with little friction.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: This helper establishes a remote CDP connection to Steel.dev, which gives the external service access to browser state, page contents, cookies, and user interactions for that session. In an agent skill that automates browsing and form-filling, undisclosed remote browser control increases privacy and data-handling risk, especially if users may enter credentials or sensitive content into the session.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This script extracts the current page's visible text or raw HTML and prints it directly to stdout with no consent boundary, redaction, or disclosure. In the context of a browser-automation skill that can access authenticated sessions, forms, and arbitrary sites, this can expose sensitive page data such as tokens, PII, emails, or internal application content to downstream logs or callers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal