Back to skill

Security audit

BrowserMCP Skill

Security checks across malware telemetry and agentic risk

Overview

BrowserMCP appears legitimate, but it can control a connected logged-in Chrome tab and relies on an unpinned external runtime package, so users should review it carefully before installing.

Install only if you trust BrowserMCP and need real-browser automation. Prefer a separate Chrome profile with only the accounts needed, connect only the intended tab, avoid banking/admin/PII-heavy pages unless necessary, require explicit confirmation before posting, purchasing, submitting forms, changing account data, or accepting terms, and consider pinning or reviewing the MCP package instead of using `@latest`.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly promotes controlling the user's real browser profile with active authenticated sessions, form filling, and stealth/bot-evasion capabilities, but it does not provide an equally explicit warning about privacy, unintended account actions, or the need for clear user consent before acting on logged-in sites. In this context, the omission is security-relevant because the skill can perform high-impact actions as the user, increasing the risk of accidental data exposure, purchases, submissions, or account changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This setup guide explicitly encourages browser automation against the user's existing Chrome profile and authenticated sessions, but the extension-permissions section does not warn that actions, screenshots, snapshots, and console retrieval can expose sensitive data from the connected live tab. In this skill's context, that omission is materially risky because the tool is designed to operate on real logged-in websites, increasing the chance of unintended data access or exfiltration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation promotes taking screenshots of the current browser viewport but does not warn that screenshots can capture sensitive data already present in the user's authenticated browser session, such as account details, messages, tokens shown in-page, or internal dashboards. In this skill's context, the risk is elevated because it explicitly operates with the user's existing browser profile and authenticated sessions, making screenshots a realistic path for unintended data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes retrieving browser console logs without noting that logs may include sensitive application and user data such as API responses, tokens, internal URLs, stack traces, identifiers, or debugging output. Because this skill uses the user's live browser profile and authenticated sessions, console logs may expose privileged or private information from active applications, increasing the likelihood and severity of unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.