Enable AI Agent to retrive data from websites that need user signin

Security checks across malware telemetry and agentic risk

Overview

This skill is designed to connect an AI agent and an external MCP server to a real browser session, but its browser-control scope and sensitive CDP handoff are too broad for automatic trust.

Install only if you fully trust the publisher and the MCP server in SERVER_URL. Use an isolated browser profile with no sensitive sessions, avoid banking, payments, password, MFA, and account-settings pages, and require explicit user approval before any CDP browsing or authenticated data access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no explicit permissions while instructing use of environment variables and MCP/CDP-style browser control. This creates a transparency and governance gap: operators may approve or deploy the skill without realizing it can access external browser sessions and environment-provided connection details.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation contains conflicting instructions: it says browser-based sign-in must not be automated, yet embedded system messages tell the agent to open the sign-in URL with a browser tool if available. In practice, this can cause the agent to drive an authenticated browser session or initiate login flows automatically, undermining the intended human-in-the-loop control for sensitive accounts.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The stated purpose is sign-in handoff and data retrieval, but the skill also instructs the agent to directly browse arbitrary sites via CDP when no tool exists. That broadens the skill from a scoped integration into general-purpose browser control, enabling access to authenticated content and actions beyond what users or reviewers would reasonably expect from the description.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The example explicitly includes navigating to a sensitive account-management page such as an Amazon change-password page. This goes beyond passive retrieval and demonstrates capability for high-risk account operations, which could facilitate unauthorized changes or manipulation of security-sensitive settings once a user is signed in.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill does not clearly warn that CDP/browser automation can expose cookies, session state, browsing content, and other authenticated data to the agent. Without an explicit warning, users may unknowingly grant the agent access to highly sensitive account activity and private information after manual sign-in.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal