Back to skill

Security audit

Browser Search

Security checks across malware telemetry and agentic risk

Overview

This web research skill is not clearly malicious, but it gives agents unusually broad browser, scraping, and safety-bypass powers without enough limits.

Review before installing. Use this only in non-sensitive browser contexts unless you are comfortable with agents controlling browser sessions, evaluating page JavaScript, using local API keys, persisting profiles or containers, and potentially disabling safety protections for internal/local access or bulk scraping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims commands are read-only and safe even in Plan mode, but elsewhere documents commands that write files (/tmp screenshots, JSON payload files) and execute local Node scripts. This mismatch can cause downstream agents to apply the skill in contexts where side effects are forbidden, increasing the chance of unintended file writes or execution of more powerful local code paths than the operator expects.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly advertises a --unsafe mode that bypasses SSRF protection, sandboxing, and path-traversal checks. For a web-research skill, exposing operators to a one-flag escape hatch materially lowers the barrier to accessing internal services, local files, or unrestricted script behavior if a prompt or user input steers the agent toward those flags.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented --no-rate-limit flag broadens the skill from normal research into high-volume scraping. In agentic settings, that can enable abusive automation, accidental denial of service against target sites, or policy violations that exceed the stated purpose of occasional web research.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance says to use the skill whenever web research is needed, which is overly broad for a skill that includes browser automation, arbitrary page JavaScript evaluation, protected-site access, and optional bypass features. Broad invocation criteria increase the chance the agent will route routine tasks into a more powerful toolchain than necessary, expanding attack surface and data exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.generated_source_template_injection

User-controlled placeholder is embedded directly into generated source code.

Critical
Code
suspicious.generated_source_template_injection
Location
SKILL.md:95