Security audit

Zh Tencent Novnc Chromium Cdp

Security checks across malware telemetry and agentic risk

Overview

This skill openly deploys a remote controllable browser, but it asks for SSH passwords and exposes a browser-control surface in ways users should review carefully.

Install only on a machine you are willing to dedicate to remote browser automation. Prefer running the privileged setup yourself or using a temporary key instead of sharing an SSH password in chat, restrict 6080 access by IP/VPN/SSH tunnel where possible, do not expose 9223 publicly, and remove the systemd services and rotate credentials when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to request SSH credentials, including passwords, from the user and use them to log into the server. That expands the trust boundary from local browser automation into credential handling and remote administrative access, creating clear risk of credential theft, misuse, or accidental retention in agent logs and transcripts.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill directs the agent to open firewall ports and expose a remotely accessible noVNC browser service over the network. Although this is part of the feature goal, it materially increases the attack surface by publishing a remote-control interface that could be abused if password protection is weak, reused, leaked, or misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_resource_identifier

Plaintext HTTP endpoint targets a CGNAT/Tailscale-range address.

Critical

Code: suspicious.exposed_resource_identifier
Location: SKILL.md:189