Js Eyes

Security checks across malware telemetry and agentic risk

Overview

This is a real browser automation skill, but it defaults to powerful browser/session access and automatic local integration changes that should be reviewed before installation.

Install only if you intentionally want an AI agent to control your browser, including logged-in tabs. Before first run, consider keeping allowRawEval=false, setting nativeHost.autoInstall=false or warnOnly=true, limiting enabled extension skills and extraSkillDirs, keeping the server bound to localhost, and rotating the server token if it is ever revealed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: This section extends beyond installation and troubleshooting into post-install operational use, including extension-skill discovery, installation, linking, and hot-loading. That scope creep makes the skill materially more capable than advertised and increases the chance an operator enables ongoing automation features when they only intended one-time setup.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill instructs operators to set `security.allowRawEval: true` as part of the default deployment, explicitly weakening the host's security posture to permit raw JavaScript execution. In the context of a browser automation stack that can load skills and interact with web content, this materially increases the risk of arbitrary code-like execution, data exfiltration, and abuse of the host/browser boundary.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill directs default enablement of numerous bundled platform-specific automation skills unrelated to merely installing or verifying the base JS Eyes stack. This broadens the available action surface immediately after setup, increasing the chance of unintended automation against third-party platforms and expanding the blast radius of compromise.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: Including detailed instructions for authoring new extension skills goes well beyond the declared install/configure/troubleshoot purpose and encourages expansion of the execution surface. In a system that hot-loads skills and routes actions through a central tool, this can facilitate unreviewed custom code and reduce security boundaries.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest presents the plugin primarily as browser automation, but the configuration also exposes remote skill registry retrieval and local skill discovery/loading from arbitrary directories. That broader capability increases the trust boundary significantly because it can lead to unreviewed code or skill content being introduced under a less transparent description, making social engineering and unsafe deployment more likely.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The plugin includes Native Messaging host auto-install and repair features, which can modify browser integration artifacts and, on Windows, registry state. This is more sensitive than ordinary browser automation because it establishes persistent local trust relationships between the browser and native components, creating a stronger foothold if the plugin is misconfigured, compromised, or abused.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: This SDK exposes methods to retrieve cookies by tab and by arbitrary domain, which can enable session-token extraction from the browser context. In a skill described as install/configure/verify/troubleshoot browser automation, cookie exfiltration capability is broader than necessary and materially increases the risk of credential theft if the SDK is used by an untrusted or compromised agent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This action executes arbitrary JavaScript in the context of a live browser tab, enabling DOM manipulation, data extraction, session abuse, and interaction with authenticated applications. In this plugin, the danger is amplified because tools marked as requiring confirmation are auto-confirmed, so a caller can invoke page-level code execution without an actual human approval checkpoint.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code automatically installs or repairs the native messaging host when `autoInstall` is enabled, with defaults set to perform these changes and no explicit user confirmation before calling `installer.installBrowsers(...)`. Modifying browser/native-host registration affects the local system and trust boundary; if triggered unexpectedly during plugin startup, it can surprise users, change persistence-related settings, and increase risk if the installer path or packaging is compromised.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Automatic startup activation expands exposure because the plugin begins running and potentially starting services without a user-triggered action. In this skill's context, that matters more because the plugin can start a browser-control server, watch configuration and skill directories, and perform host repair tasks immediately at launch.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest states that the plugin may automatically check, install, and repair the Native Messaging host when OpenClaw loads the plugin. Automatic modification of browser integration components without a strong, explicit warning and consent flow is dangerous because it can alter local system state and persistence mechanisms in ways users may not anticipate.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest explicitly allows automatic rewriting of stale manifests, launchers, and extension ID mappings. Rewriting these artifacts can silently rebind trust relationships or restore integration after a user or administrator changed them, which raises the risk of persistence and unauthorized system modification.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code accepts authentication tokens from the URL query string via `getQueryToken()`. Query parameters are commonly logged by servers, proxies, browser history, referrers, and monitoring tools, which can expose bearer-equivalent secrets and enable session or API hijacking if those logs are accessed. In a browser automation/server context, this is more dangerous because tokens may traverse multiple components and debugging infrastructure where URLs are routinely captured.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal