Back to skill

Security audit

Browser Ladder

Security checks across malware telemetry and agentic risk

Overview

This web-browsing skill is mostly coherent, but it includes high-risk browser escalation for CAPTCHA/bot-protected sites and can send browsing targets to third-party cloud browsers.

Install only if you need advanced web automation and are comfortable with Docker and optional third-party browser services. Do not use cloud rungs for private, internal, authenticated, regulated, or credential-bearing pages unless you explicitly approve that data leaving your environment. Treat CAPTCHA, Cloudflare, and similar protections as an authorization checkpoint, not an automatic escalation path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill instructs users to run shell commands and a setup script, and it declares required binaries, but it does not declare corresponding permissions or clearly bound the shell capability. Hidden or undeclared execution capability increases the risk of users invoking local commands without understanding the trust boundary, especially when scripts may write credentials to local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill presents itself as a browser access utility, but the documented behavior includes screenshots, PDFs, and an interactive setup flow that stores API keys locally. This mismatch can cause users to grant broader trust than intended and may lead to unexpected collection of sensitive page content or credential handling.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script escalates from simple URL fetching to launching arbitrary Docker containers locally, which materially expands the capability and attack surface of the skill. In a browsing utility, invoking Docker is not inherently malicious, but it can enable unreviewed container execution, network access, image pulls, and filesystem mounts that may violate least-privilege expectations or organizational policy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cloud-browser sections recommend BrowserCat and Browserless without clearly warning that visited URLs, rendered page contents, cookies/session material, and other browsing metadata may be transmitted to third-party infrastructure. Users could unknowingly send sensitive internal, authenticated, or regulated data to external services.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The skill explicitly advertises CAPTCHA solving and bot-detection bypass as a standard escalation path. That operational guidance encourages circumvention of access controls and anti-automation protections, which can facilitate unauthorized scraping or policy violations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Level 4 sends user-provided URLs to a third-party remote browsing service without explicit disclosure at runtime. That can leak sensitive URLs, embedded credentials, internal hostnames, or private resources to an external vendor, especially because the skill's fallback design may escalate automatically.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script interactively collects a sensitive API key and writes it directly to a local .env file in plaintext without warning the user about persistence or file exposure risks. While this is common setup behavior, it can leak credentials if the workspace is shared, backed up, committed to source control, or has weak filesystem permissions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Browserless token is written to .env in plaintext after interactive entry, again without disclosing that the credential will remain on disk. This increases the chance of accidental disclosure through shared workspaces, backups, logs, or repository commits, especially because the token enables advanced browser automation capabilities.

Ssd 2

Medium
Confidence
96% confidence
Finding
By promoting browser escalation specifically for bot-protected targets, the skill normalizes evasive automation behavior even without overt attack terminology. This lowers the barrier to misuse against websites that intentionally deploy anti-bot defenses.

Ssd 2

Medium
Confidence
95% confidence
Finding
The decision flow instructs the operator to climb to a higher rung when encountering CAPTCHA or Cloudflare protections, making access-control evasion part of the normal workflow. This creates a direct misuse path for automated circumvention of website defenses.

Ssd 2

Medium
Confidence
96% confidence
Finding
The Browserless example operationalizes automated CAPTCHA handling with a concrete connection pattern and a note that CAPTCHA is handled automatically. Concrete examples make the bypass capability easier to adopt and therefore increase the likelihood of misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.