Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is useful but gives an agent broad, lightly bounded control over authenticated web sessions and saved browser state.

Install only if you intentionally want an agent to control websites on your behalf. Use a dedicated browser profile or test account, pin and verify the external `agent-browser` CLI, enable domain allowlists and content boundaries, avoid importing your main Chrome session, encrypt or promptly delete saved auth state, and require explicit approval before purchases, deletions, public posts, uploads, or other consequential authenticated actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (12)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger description is extremely broad and can activate the browser automation skill for many loosely related requests, increasing the chance an agent invokes a powerful web-interaction tool unnecessarily. In this skill, that matters because the tool can navigate arbitrary sites, manipulate sessions, and access sensitive browser state, so accidental invocation expands exposure and misuse risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents importing auth from a user's browser, saving state files, using persistent profiles, and storing credentials, but does not present a prominent upfront warning about plaintext tokens, browser session reuse, or the privacy impact of exposing authenticated data to the agent. In a browser automation skill, this omission is dangerous because users or upstream agents may enable these features without understanding that cookies, localStorage, and credentials can grant broad account access.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented cookie and storage commands expose and modify highly sensitive browser state, including session cookies and localStorage values that often contain authentication artifacts. In an agent-facing browser automation skill, omitting any warning or constraint makes it easy for downstream agents or users to exfiltrate, persist, or replay authenticated sessions without realizing the security implications.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The state save/load commands explicitly persist and restore cookies, storage, and auth state, which enables session replay and credential reuse if the saved file is copied, logged, or mishandled. In a browser automation skill, this materially increases the risk of account takeover or unauthorized continuation of a user's authenticated session.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Network inspection and interception features can reveal request URLs, headers, bodies, API tokens, and personal data, and can also alter traffic through mocking or blocking. Documenting these capabilities without warning understates their sensitivity and could lead agents to capture or manipulate confidential application traffic in unsafe ways.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation shows proxy authentication by embedding credentials directly in `HTTP_PROXY`/`ALL_PROXY` URLs without warning that secrets may be exposed through shell history, CI logs, environment dumps, crash reports, or process inspection. In a browser automation skill, users are likely to copy-paste these examples into shared terminals or automation pipelines, increasing the chance of credential leakage and unauthorized proxy use.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document demonstrates saving and reusing authenticated browser state, which typically includes cookies and other session artifacts that can function as bearer credentials. Although the file later mentions not committing state files and deleting them after use, the example itself normalizes persistence of sensitive auth material without an immediate, prominent warning at the point of use, which can lead operators to store tokens insecurely or reuse them across contexts.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The iframe example explicitly demonstrates entering payment card data and clicking a Pay button without any warning, confirmation step, or restriction around irreversible financial actions. In an agent-browser skill, this lowers the safety bar for automating high-risk transactions and could normalize unattended payment submission or misuse of real cardholder data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation encourages recording browser sessions and storing video/screenshots, including login and test flows, but does not warn that recordings may capture credentials, personal data, session information, or other sensitive on-screen content. In an agent-browser skill, this is more dangerous because the tool is explicitly used for automated interaction with websites, including authentication and form filling, so users may unintentionally create persistent sensitive artifacts on disk or in CI systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This workflow writes a full-page screenshot, DOM structure, extracted body text, and a PDF of the visited page directly to local storage without any consent prompt, sensitivity check, or scoping restrictions. In a browser automation skill, pages may contain credentials, personal data, session-bound content, or internal business information, so automated bulk capture to disk can create an unintended data retention and exposure risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The template invokes an interactive DOM/page snapshot without any warning that the output may include sensitive page content, form structure, and potentially user-entered values visible to the automation session. In a browser-automation skill intended for login, form filling, and web app testing, this increases the chance that operators collect or expose sensitive data unnecessarily in terminal logs or downstream agent context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template saves a screenshot of the resulting page to /tmp without warning that screenshots may contain credentials, personal data, tokens, or other sensitive page contents. Because this skill is specifically designed for browser automation on arbitrary websites, including forms and logins, writing such artifacts to disk creates avoidable retention and disclosure risk on multi-user systems or in shared execution environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal