Security audit

En Tencent Novnc Chromium Cdp

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it asks for very powerful server access and includes an unsafe fallback that requests SSH passwords in chat.

Install only if you are comfortable giving the skill root-level deployment authority and persistent remote-browser services. Do not paste reusable SSH passwords into chat; prefer running the sudo setup yourself, using temporary least-privilege access, restricting port 6080 by firewall or source IP, and disabling the systemd services when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill explicitly tells the agent to request full SSH credentials so it can log into the server and perform installation. That grants unrestricted remote shell access far beyond the immediate browser-deployment task, creating a high-risk path to total host compromise if the agent, logs, plugins, or surrounding platform are abused. The context makes this more dangerous because the skill normalizes credential collection in chat while also directing privileged system changes.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The documentation claims the credentials will only be used for a narrow set of install actions, but the requested SSH username/password actually provide broad interactive shell access. This is a dangerous mismatch because it downplays the real authority being granted and may mislead users into sharing secrets they would otherwise protect more carefully.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to ask for SSH passwords directly in chat without a strong warning against sharing reusable credentials through conversational channels. Even if the stated purpose is installation, collecting passwords in-band increases the chance of credential exposure through chat retention, logs, screenshots, or downstream integrations.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill plainly instructs the agent to request SSH passwords from users to complete deployment. This is dangerous because it operationalizes secret harvesting as part of the workflow, making credential disclosure routine and enabling full server takeover if those credentials are mishandled or the agent environment is compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_resource_identifier

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical

Code: suspicious.exposed_resource_identifier
Location: SKILL.md:189