Back to skill

Security audit

chrome_skill

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is purpose-aligned, but it grants very broad control over Chrome and installs/runs an unpinned local bridge with limited safety boundaries.

Review carefully before installing. Use a dedicated Chrome profile, avoid logged-in sensitive accounts unless each action is intentional, do not expose the localhost bridge beyond your machine, and treat the first-run global npm install as third-party code running with your local privileges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented API includes arbitrary JavaScript execution via `evaluate`/`injectScript` and a generic custom-action fallback that can invoke page-defined handlers. In a browser automation skill, these capabilities materially expand power beyond simple navigation and clicking, enabling execution of arbitrary page-context code and making it easier to exfiltrate page data, manipulate sessions, or trigger unsafe flows not apparent from the skill description.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The reference exposes file-affecting operations such as uploading local files, setting input files, and downloading remote content to local destinations. These capabilities extend beyond ordinary browser automation and can be abused to access sensitive local data or write attacker-controlled content to disk if an agent is induced to perform unsafe actions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The API documents cookie management, request blocking/mocking, network request inspection, and local storage manipulation, which permit broad control over browser state and traffic. In combination, these features can capture session secrets, tamper with application behavior, and interfere with security assumptions while remaining under-described in the skill metadata.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This skill enables broad browser automation over pages, forms, cookies, storage, screenshots, and content extraction, but it does not warn that the agent may encounter or process sensitive personal or authentication data. That omission increases the risk of unsafe use on logged-in sessions or private pages, leading to inadvertent data exposure or privacy violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The startup protocol instructs the agent to automatically install a global npm package, start a background child process, and auto-launch Chrome, all without an explicit safety warning or consent checkpoint. These are material system changes and execution steps that could be abused in a compromised environment or surprise users by modifying software state and exposing browser profiles.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The login example demonstrates typing a username and password into a page without any warning about secret handling, phishing risk, or storage/logging controls. In a browser automation skill with screenshot, console, network, and extraction capabilities, normalizing credential entry can lead to leakage of secrets through logs, captured page content, or misuse on untrusted sites.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation advertises access to sensitive browser data such as cookies, storage, network requests, screenshots, PDFs, and local file operations without clear user-facing warnings about privacy or system impact. This increases the likelihood of unsafe use because operators may not realize the skill can collect secrets, persist data locally, or modify browser state in ways that affect security.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup guide includes forceful Chrome termination commands (`taskkill /F`, `killall`) without any warning that they will abruptly close all browser instances and may cause loss of unsaved work, interruption of active sessions, or collateral impact on unrelated browsing activity. In a browser automation skill, this is especially risky because users may copy-paste commands verbatim while logged into sensitive accounts or using an existing Chrome session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide presents automatic global package installation, bridge startup, and Chrome auto-launch as frictionless defaults without warning about the security and privacy implications of installing software, opening a local automation bridge, and launching Chrome with remote debugging enabled. In this skill context, that omission is more dangerous because the feature set enables powerful browser control and content extraction, so users should be clearly informed before enabling it.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/startup.js:53