Google Flow Video Automation

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to automate Google Flow video generation, but it asks users to expose a real logged-in Chrome profile to broad browser automation and can confirm credit-consuming actions automatically.

Install only if you are comfortable giving the skill control over a logged-in Chrome session. Use a dedicated temporary Chrome profile, keep only Google Flow open, close Chrome after use, review/delete /tmp screenshots and output files, and do not run it on an account where automatic credit use would be unacceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill declares no permissions while its documented workflow clearly depends on network access to local CDP endpoints and Google Flow services. This undermines transparency and informed consent, making it easier for users or orchestration systems to run a network-capable skill without understanding its real reach.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The documented behavior is broader than the stated purpose: it uses Chrome remote debugging, guides account login, persists local configuration, explores UI state, and may download unintended media types. That mismatch is security-relevant because users may authorize a narrowly described automation while the skill actually gains a wider ability to inspect and drive an authenticated browser session.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The quickstart explicitly frames CDP use as a way to 'bypass Google login detection' and emphasizes reuse of a real Chrome session. That normalizes an anti-detection/anti-control capability beyond simple video generation and increases the chance the skill is used in ways that violate platform safeguards or expose an authenticated browser session to misuse.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The startup command points Chrome at the user's default profile while enabling remote debugging on port 9222, but the document does not clearly warn that this exposes active cookies, sessions, and browser data to any process that can access CDP. Using the default profile makes the risk materially worse because compromise of CDP can affect the user's full signed-in browser context, not just Google Flow.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions tell the user to launch Chrome with remote debugging enabled against their default profile, which exposes cookies, logged-in sessions, browsing data, and powerful browser-control APIs to any process that can reach the CDP port. Using the default profile greatly increases blast radius because compromise of the automation or local port access can pivot into full account/session takeover across the user's existing Chrome state.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script captures screenshots of an authenticated Google Flow session and writes them to predictable files under /tmp, which may expose account information, prompts, project content, or other sensitive page data to other local users or processes. In this skill context, the screenshots are taken specifically during login/setup and settings exploration, which makes accidental capture of sensitive browser state more likely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script attaches to an existing Chrome instance over CDP and reuses the first available browser context, which may contain authenticated sessions, cookies, open tabs, and other sensitive user data unrelated to Google Flow. Because CDP grants broad browser control, a script like this can inspect or manipulate arbitrary pages in that session, making accidental overreach or abuse high impact.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script detects credit-related confirmation text and automatically clicks “Yes” without any explicit user approval or spending guardrail. In this skill’s context, that can directly trigger billable actions on a logged-in Google Flow session, making unintended charges or abuse of an attached account more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal