Web Tools Guide

Security checks across malware telemetry and agentic risk

Overview

This web-tools guide is not malicious, but it gives agents broad power to install tools, store API keys, and restart or kill browser and gateway processes.

Install only if you trust the opencli package and browser extension source, and only run the setup script after reviewing its effects. Avoid high-value API keys, do not let the agent read keys back into chat, and confirm any Chrome, gateway, Docker, or pkill restart command before it runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill text instructs the agent to run a shell command (`bash {baseDir}/scripts/setup-opencli.sh`) even though the skill declares itself as guidance for web-tool usage rather than an installer. Undeclared shell capability is dangerous because it expands the trust boundary from passive documentation to local code execution, and the referenced setup path can perform privileged environment changes without explicit permission scoping.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a true description-behavior mismatch: the skill presents itself as a mandatory procedural guide, but directs execution of an installer that can globally install software, download extension artifacts, inspect processes, restart Chrome, and modify browser launch parameters. That mismatch is especially dangerous because users or agents may trust and auto-apply the skill in routine browsing scenarios, unintentionally allowing invasive host and browser modifications.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script goes beyond installation guidance and actively kills and restarts a running Chrome process, which is a destructive side effect that can disrupt user activity, lose session state, and alter browser execution context. In a 'web-tools guide' skill, this capability is broader than necessary and increases risk because it manipulates an already-running user application rather than instructing the user how to reconfigure it safely.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script reconstructs a Chrome launch command from /proc/<pid>/cmdline, edits it with text processing, and re-executes it via `bash -c`, which is unsafe and can mis-handle shell metacharacters, embedded arguments, or unusual process command lines. This creates command-injection and unintended-execution risk while granting the skill unnecessary control over browser startup behavior, especially inappropriate for a guidance/install helper.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list is overly broad, covering many common phrases related to searching, opening websites, news, and browsing. In context, that increases danger because the skill is marked 'MANDATORY' and contains instructions that can lead to shell execution and browser/environment modification, so accidental activation could route ordinary requests into risky setup behavior.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script forcibly terminates the detected Chrome process with SIGTERM and potentially SIGKILL without user confirmation. That can interrupt active browsing, lose form data or unsaved work, and unexpectedly affect privileged browser sessions if the script is run as root.

Ssd 3

Medium

Confidence: 95% confidence
Finding: This workflow instructs the agent to collect a user's API key and persist it into local configuration storage, increasing the chance of credential exposure through config files, logs, shell history, process arguments, or later accidental disclosure. The risk is amplified because the skill operationalizes secret handling inside a general-purpose agent workflow rather than using a dedicated secret-management path with masking and least-privilege controls.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The verification step directs the agent to read stored API keys back from configuration after restart, which unnecessarily exposes secrets during routine validation and creates additional opportunities for leakage into tool output, logs, transcripts, or model context. Validating by retrieving the secret itself is especially risky because it normalizes secret disclosure instead of checking non-sensitive state such as provider enablement or a masked/boolean health check.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal