Back to skill

Security audit

tekin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it gives an agent broad control over authenticated browser sessions and saved browser artifacts without enough safety boundaries.

Install only if you need full browser automation and are comfortable with an agent controlling browser sessions. Avoid using it on sensitive authenticated accounts unless explicitly intended; treat saved state, screenshots, recordings, traces, headers, credentials, and auth.json files like secrets, keep them out of shared folders and source control, and delete them when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest describes the skill as structured browser automation, but the documented command set also enables arbitrary JavaScript execution, network interception/mocking, credential/header injection, and persistent session/state handling. That mismatch can cause users or higher-level policy systems to underestimate the privilege and risk of the skill, making unsafe invocation more likely.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The `agent-browser eval` command allows arbitrary JavaScript execution in page context, which materially exceeds a purely structured browser-control model and can interact with page data, DOM state, tokens, and privileged in-session content. If an agent is allowed to use this skill based on the narrower manifest description, this capability can be abused for data extraction or bypassing intended guardrails.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill exposes cookies, localStorage, and session save/load features without warning that these artifacts may contain authentication tokens, account data, or other secrets. In an agent context, easy state export/import increases the chance of credential persistence, accidental disclosure, session replay, or cross-task contamination.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation encourages file-writing operations such as screenshots, PDFs, videos, traces, and saved state without warning about overwriting files or persisting sensitive page contents to disk. In authenticated browsing sessions, these outputs can capture secrets, personal data, or internal application state and leave durable artifacts on the host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.