Back to skill

Security audit

Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill appears legitimate, but it exposes powerful browser, session, recording, proxy, and script-execution capabilities with insufficient safety boundaries for sensitive accounts and credentials.

Install only if you need a powerful browser-control skill and are prepared to treat its outputs as sensitive. Avoid using it on personal banking, admin consoles, production accounts, or SSO/MFA sessions unless explicitly necessary; do not record credential entry; keep saved auth-state files, traces, screenshots, videos, proxy credentials, and cookies out of repos and shared logs; delete them after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The command reference explicitly documents arbitrary JavaScript execution via base64 and stdin, which goes beyond normal point-and-click browser automation and enables unrestricted code execution inside the page context. In an agent-facing skill, this materially increases the risk of data exfiltration, DOM tampering, bypassing safer high-level controls, and executing hostile automation against authenticated sessions.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
Documenting extension loading allows arbitrary browser extensions to run with powerful browser privileges, often including access to page content, requests, cookies, and stored data. That capability is not necessary for the stated browser automation purpose and creates an additional code execution and data access surface that an agent could abuse or misconfigure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is overly broad and includes catch-all language such as handling nearly any website interaction or web-related automation task. In an agentic environment, this can cause the skill to be invoked for requests beyond the user's intended scope, increasing the chance of unsafe browsing, unintended authentication flows, data exfiltration, or use on sensitive sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages login workflows, saving browser state, and persisting sessions without any safety guidance for secrets, cookies, tokens, or local storage. Those artifacts can contain reusable authentication material, so storing or reusing them carelessly can expose accounts, enable session hijacking, or leak sensitive tenant data across runs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation demonstrates persisting authenticated browser state to a local JSON file immediately after login, and the nearby text does not explicitly warn that the file can contain reusable session cookies or tokens. In an agent-browser skill, this is security-relevant because users may copy the example verbatim and store bearer-equivalent credentials in insecure locations, enabling account takeover if the file is read, copied, or committed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The OAuth example saves browser state after a third-party login flow without a nearby warning that the saved file may capture federated identity session artifacts. Because OAuth/SSO sessions can grant broad access across apps, persisting that state can expose powerful tokens or cookies that may be replayed by anyone who obtains the file.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The 2FA example saves post-authentication state after manual completion of the second factor, but does not clearly warn that the resulting file may bypass future login challenges. In this context, the saved state can function as a durable authenticated session that weakens the protection intended by 2FA if the file is reused or stolen.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents screenshots, PDFs, video recording, traces, and profiles without any warning that these artifacts may capture credentials, personal data, tokens, internal pages, or other sensitive session content. In an agent workflow, automatic saving of such artifacts increases the chance of unintended retention, disclosure, or later misuse of sensitive information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Cookie, localStorage, and state save/load commands directly expose and persist authentication material and other sensitive browser state. In an agent-operated browser, this can enable account takeover, session replay, or inadvertent leakage of secrets if saved files or outputs are logged, shared, or reused across tasks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Network interception, custom headers, credentials, proxying, and ignoring HTTPS errors create powerful mechanisms for traffic manipulation and credential exposure, yet the documentation provides no caution about interception, MITM risk, spoofing, or privacy impact. In a browser automation skill, these features can be abused to reroute traffic, inject authentication, or suppress certificate validation for sensitive sites.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to save Chrome trace output to JSON files but does not warn that performance traces can capture sensitive browsing activity, URLs, page structure, timing, user interaction patterns, and potentially application data exposed in trace events. In a browser-automation skill, this is more dangerous because traces may be generated while logged into real services or testing internal apps, increasing the chance that sensitive operational or customer data is retained and shared unintentionally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows authenticated proxy URLs with embedded usernames and passwords in environment variables and command examples, but does not warn that such credentials can leak via shell history, process listings, logs, CI output, or shared terminal recordings. In a browser-automation skill, this is especially risky because users may copy-paste examples directly into multi-user or monitored environments, exposing proxy secrets and enabling interception or abuse of routed traffic.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly promotes proxies for rate limiting avoidance and includes rotating-proxy scraping examples without any warning about terms-of-service, authorization, privacy, or legal constraints. In an agentic browser automation context, that guidance can normalize evasive behavior and make misuse easier at scale, increasing the chance that the tool is used to bypass site controls or access data in ways operators did not authorize.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation encourages video recording of browser sessions and saving artifacts, but it does not warn that recordings may capture sensitive on-screen data such as credentials, session tokens, personal data, or internal application content. In an agent-browser skill, this is more dangerous because the tool is explicitly meant to automate logins, form filling, and testing of real web applications, increasing the likelihood that sensitive information will be recorded and retained.

Missing User Warnings

High
Confidence
98% confidence
Finding
The login workflow example records the session while filling an email and password, creating a concrete pattern that can expose credentials in the saved video artifact. Because this skill is specifically for browser automation, users may copy this example directly into CI, debugging, or documentation workflows, leading to persistent credential leakage through shared artifacts, logs, or build outputs.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script instructs users to provide credentials via environment variables but gives no warning about secret-handling risks such as shell history exposure, process/environment leakage on shared systems, or accidental logging in CI. In a browser-automation skill that explicitly performs logins, this omission increases the chance that reusable credentials are handled insecurely by operators.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow reuses and later saves authenticated browser state to a local file without warning that the file may contain session cookies or tokens that grant account access. If that state file is read by another user, committed to source control, or left on a shared runner, it can enable session hijacking without needing the original password.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.