Security audit

Browser Automation (CDP)

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it gives broad control over logged-in browser sessions and includes under-scoped session and cookie handling guidance.

Install only if you are comfortable letting an agent control a browser session. Use a dedicated automation profile, log in only to accounts needed for the task, avoid the cookie-database guidance, close the debug-enabled browser afterward, and manually approve sensitive form submissions, account changes, purchases, downloads, and private-page access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The login example includes hardcoded placeholder credentials and explicitly notes reuse of Chrome profile state, which can normalize unsafe handling of secrets and session persistence in automation workflows. In practice, users may copy this pattern into real deployments, leading to credential exposure, unintended account access reuse, or leakage of authenticated session cookies across runs.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The code explicitly searches for and reuses an existing bilibili.com tab, which is a site-specific behavior unrelated to generic CDP automation. This creates a strong signal of targeted interaction with a user’s live authenticated session on a specific service, enabling unauthorized actions or data access without opening a fresh, isolated page.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The examples demonstrate submitting contact information and performing authenticated login actions without clear privacy, consent, or transmission warnings. This can encourage users to send personal data or credentials to third-party sites through automation without understanding that the tool will transmit that data externally and may store artifacts such as screenshots or session state.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The download example shows navigation to a file URL and only notes afterward that files are automatically written to a local directory, without a clear up-front safety warning. This can lead to unintentional storage of untrusted or sensitive files on disk, increasing risk of data leakage, malware exposure, or accumulation of sensitive artifacts in predictable locations.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The reference explicitly documents that downloads are allowed automatically and saved to disk without prompting, with no strong warning to the operator about immediate file writes. In a browser automation skill with full network access and access to arbitrary websites, this increases the risk of silently storing untrusted or malicious files, potentially leading to unsafe follow-on use or disk contamination.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill is explicitly designed to drive an already logged-in local browser session and interact with authenticated websites, but it does not prominently warn that the agent may gain access to private account data, active sessions, messages, billing pages, or other sensitive user context. In this context, CDP automation has the same practical authority as the user’s browser, so missing consent and sensitivity warnings materially increase the risk of privacy and account-data exposure.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The setup instructions tell the user to forcibly terminate Edge with taskkill before restarting it with remote debugging, but do not warn that this will close all tabs and can discard unsaved browser state or interrupt active sessions. While this is not a code-execution vulnerability, it is an unsafe operational instruction that can cause avoidable user harm and makes risky browser reconfiguration seem routine.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documentation suggests reading browser SQLite files to obtain complete cookies, including data not exposed to document.cookie such as highly sensitive authentication material. This is dangerous because full browser cookies can enable session hijacking, bypass normal login protections, and compromise any authenticated services available in the profile, especially in a skill already centered on reusing a logged-in browser.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal