Back to skill

Security audit

browserbase-sessions

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Browserbase automation skill, but it needs review because it can control logged-in cloud browsers and includes an under-disclosed ChatGPT/Suno automation script.

Install only if you intentionally want an agent to manage persistent Browserbase sessions that may stay logged into websites. Use a dedicated Browserbase project/key, isolate workspaces per site or task, disable recording/logging/CAPTCHA solving when unnecessary, avoid exporting cookies, terminate sessions and delete contexts when finished, and remove or review scripts/dedication_automation.mjs if you do not want ChatGPT/Suno automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill exposes powerful capabilities including shell, network, environment-variable access, and local file read/write, but does not declare permissions or present clear guardrails. That mismatch increases the chance an agent invokes the skill with more authority than a user expects, especially since the documented workflows handle API keys, persisted auth state, downloads, logs, and workspace files.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as session/context management, but it also exposes broad browser-driving primitives such as navigation, tab management, clicking, typing, reading pages, downloads, logs, and live human handoff. That mismatch materially increases risk because operators may grant or invoke the skill assuming narrow session administration, while it can in practice access and manipulate authenticated web content across sites.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The execute-js command allows arbitrary JavaScript execution in the context of whatever authenticated page is open. In a skill advertised primarily for session management, this is especially dangerous because it enables DOM manipulation, token extraction from page storage/context, form submission, and state changes on third-party sites well beyond simple session handling.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The get-cookies command exposes full session cookies from the browser context, which can enable session hijacking or reuse if those cookies are copied elsewhere. Because the skill also supports persistent authenticated contexts and remote browser control, cookie extraction is more dangerous here than in a normal debugging tool.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script materially exceeds the stated skill purpose of Browserbase session management by automating authenticated interactions with ChatGPT and Suno, including content generation, form filling, CAPTCHA-assisted submission, and artifact capture. In an agent-skill context, that mismatch is dangerous because users may grant session/context access expecting infrastructure/session handling, while the code can silently act on third-party accounts and services using persisted logins.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code contains specialized authenticated browser automation unrelated to basic Browserbase session creation or management, including prompt injection into ChatGPT, polling responses, navigating to Suno, and triggering song creation. Hidden extra capability in a skill is security-relevant because it expands what an agent can do with stored credentials or browser contexts beyond what operators and users would reasonably expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that automatic CAPTCHA solving and session recording are enabled by default, but it does not warn users about legal, privacy, consent, or site-terms implications. In a browser automation skill that can access authenticated sessions and protected pages, defaulting to these capabilities increases the chance of unauthorized data capture or policy violations, even if the feature is intended for legitimate automation.

Vague Triggers

Low
Confidence
83% confidence
Finding
The invocation description is broad enough to match many generic browser tasks, including authenticated browsing and scraping, which can cause the skill to be selected outside a narrow intended use case. In this skill, over-selection matters because invocation can lead to session creation, persistence of authentication artifacts, and browser automation against logged-in sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that CAPTCHA solving, session recording, logging, and authentication persistence are enabled by default, but the privacy and retention consequences are not surfaced as a prominent consent step before use. This can lead to inadvertent collection and storage of sensitive session content, credentials, cookies, page data, and user actions in Browserbase and local workspace files.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The reference explicitly exposes APIs for session logs, rrweb recordings, and downloaded-file archives but provides no warning that these artifacts can contain credentials, authentication cookies, page contents, personal data, or other secrets from authenticated browsing sessions. In a skill centered on persistent authenticated browser sessions, omission of privacy and data-handling guidance materially increases the chance of unsafe collection, retention, or sharing of sensitive session artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This command returns all cookies directly with no confirmation, redaction, or warning despite operating on potentially authenticated sessions. An agent or downstream consumer can immediately exfiltrate reusable session material, making authenticated account takeover or unauthorized reuse plausible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This command executes arbitrary page-side JavaScript supplied via arguments with no warning, policy enforcement, or restriction. In an authenticated browser session, that can be used to read page data, harvest storage-backed secrets, alter application state, trigger transactions, or bypass the intended higher-level command model.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script saves screenshots and a JSON summary to /tmp that include sensitive operational data such as sessionId, debugUrl, contextId, generated prompts, and page state from authenticated services. On multi-user systems, shared temp storage, log collection, or later artifact exfiltration can expose active browser sessions, account metadata, or private content, enabling unauthorized access or replay against the Browserbase session.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: browserbase-sessions
description: Create and manage persistent Browserbase cloud browser sessions with authentication persistence. Use when you need to automate browsers, maintain logged-in sessions across interactions, scrape authenticated pages, or manage cloud browser instances.
license: MIT
homepage: https://docs.browserbase.com
metadata: {"author":"custom","version":"2.5.0","openclaw":{"emoji":"🌐","requires":{"bins":["python3"]},"primaryEnv":"BROWSERBASE_API_KEY"}}
Confidence
88% confidence
Finding
Create and manage persistent Browserbase cloud browser sessions with authentication persistence. Use when you need to automate browsers, maintain logged-in sessions across interactions, scrape authent

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.