Back to skill

Security audit

mtop-devtools-socket

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed browser DevTools helper, but it gives an agent powerful access to logged-in browser sessions and account-switching features that need careful review before use.

Install only if you trust the publisher and intend to let the agent operate inside logged-in browser sessions. Avoid using it on personal, production, finance, or admin accounts unless your organization explicitly permits it, and review any cookie-backed requests, account switching/borrowing, file uploads, JavaScript execution, and request-rule changes before allowing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The API exposes retrieval of detailed logged-in employee identity and organizational metadata, including name, department, BU, admin flag, and related identifiers. In a browser/devtools skill, this expands access from debugging into unnecessary personal-data collection, increasing insider privacy risk and enabling profiling or targeted abuse if invoked without strict need and consent.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documented TDBank operations allow listing accounts, switching accounts, and borrowing then switching into another account from an authenticated browser session. Those capabilities are unrelated to ordinary devtools/browser debugging and create a strong risk of privilege misuse, impersonation, or unauthorized access to data/actions under alternate accounts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The examples document retrieval of employee identity and detailed organizational profile data that is unrelated to the stated browser/devtools debugging scope. This expands the skill into HR/personnel data access and normalizes exposure of personally identifiable and internal organizational information, increasing the chance of misuse or overcollection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The TDBank account listing, switching, and especially borrowing workflows are materially outside a devtools/browser-debugging skill and provide account-access operations that could enable impersonation or unauthorized actions. Embedding these examples in a broadly scoped tool lowers barriers to misuse and suggests privileged account manipulation is acceptable within normal debugging flows.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
User identity and org-profile retrieval is context-inappropriate for a browser/devtools skill because it exposes sensitive employee metadata without an operational need tied to page debugging. This mismatch makes accidental or intentional data harvesting more likely and weakens the principle of least privilege.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Account borrowing and switching are highly sensitive identity/privilege operations that do not belong in a general devtools skill. In this context, they could facilitate lateral movement, impersonation, or testing under another identity without sufficient separation of duties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents capabilities to access authenticated browser requests, cookies/signatures, user identity data, modify traffic, execute arbitrary JavaScript in the page context, and manipulate browser tabs, but it does not present clear security boundaries, consent requirements, or privacy warnings. In an agent skill, these features materially increase the risk of unauthorized data access, session abuse, account switching, traffic tampering, and destructive browser actions if invoked without explicit user approval and scope restrictions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description advertises capabilities to reuse browser login state, cookies, signatures, debug requests, inspect logs/events, and proxy authenticated requests, but it does not clearly warn users that highly sensitive session data and authenticated network traffic may be accessed or transmitted. Because this skill bridges browser/devtools context and local socket/CDP functionality, an agent could invoke powerful authenticated actions without the user appreciating the sensitivity, increasing the risk of credential misuse, data exfiltration, or unintended privileged operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented actions include saving screenshots to local paths and uploading local files into browser pages, but the skill text does not clearly warn that these operations affect the local filesystem and may expose local content to remote sites. In an agent setting, missing warnings can lead to unintended overwrites, disclosure of sensitive local files, or uploads to untrusted destinations without informed user approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The send_mtop_request documentation explicitly describes using browser login cookies and token-derived signatures to issue authenticated requests in the current user context. Without prominent warnings, scoped restrictions, and consent expectations, this normalizes powerful authenticated API access that can expose or modify sensitive user data through the browser session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The proxy_request and request_domain_permission features document obtaining host permissions and attaching browser cookies to arbitrary requests, enabling access to authenticated content on authorized domains. Even with a user permission prompt, the absence of strong warnings and tighter purpose limitation makes it easier to use the tool as a generic authenticated data exfiltration or account-action proxy.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The user-info API returns employee personal and organizational data but the documentation does not clearly warn that invoking it exposes sensitive personal information beyond basic debugging needs. In this skill context, that omission increases the risk that agents or users treat identity-data retrieval as routine rather than sensitive, enabling unnecessary collection and disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples promote proxying requests that automatically include browser cookies, tokens, and signatures, yet they do not warn that authenticated data may be transmitted to arbitrary destinations. In a tool designed to reuse browser login state, that omission is dangerous because it can lead to credential leakage, unauthorized API use, or cross-domain data exfiltration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The browser action examples include clicking, typing, navigation, uploads, keypresses, and JavaScript execution, all of which can mutate application state or expose local/browser data. Without an explicit warning, users may underestimate that these are active operations capable of submitting forms, triggering transactions, or manipulating the page context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The user information examples disclose sensitive personal and organizational details such as name, department, employee identifiers, and profile metadata without any privacy warning or minimization guidance. This can normalize unnecessary collection and exposure of employee data beyond the debugging purpose of the skill.

Missing User Warnings

High
Confidence
97% confidence
Finding
The TDBank examples show account borrowing and switching with no explicit user warning, despite these being sensitive actions that can change the acting identity and affect downstream systems. Presenting them as routine examples increases the risk of misuse, accidental impersonation, and unauthorized access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.