Browser Automation

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is purpose-aligned and disclosed, but users should treat browser profiles, cookies, screenshots, and PDFs as sensitive.

Install only if you trust PinchTab and need agent-driven browser control. Use dedicated or disposable profiles for sensitive sites, avoid hardcoding real credentials, keep the local service bound to trusted access, and delete captured screenshots or PDFs when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents automated login flows and persistent browser profiles that retain cookies/authenticated state, but it provides no warning about secure credential handling, secret injection, least-privilege accounts, or profile protection. In an agent context, this increases the risk of exposing live credentials, reusing sensitive sessions across tasks, or unintentionally operating with stored authenticated access.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documented capabilities include text extraction, screenshots, PDF generation, and cookie access, all of which can capture sensitive page content or session material. Without a user-facing privacy warning or consent boundary, an agent may use these features on pages containing personal, confidential, or regulated data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal