Back to skill

Security audit

Cookie Use

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about what it does, but it gives agents broad power to capture, store, share, and silently apply live website login sessions.

Install only if you intentionally want an agent-capable tool that can manage real logged-in browser sessions. Use it only for accounts you own or are authorized to operate, avoid replaying production sessions to local/dev origins, avoid sharing session bundles unless policy permits it, and do not enable --no-confirm or COOKIE_USE_YES=1 except in tightly controlled automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Ssd 4

High
Confidence
99% confidence
Finding
The skill is explicitly designed to capture, store, switch, inject, and share authenticated web sessions for arbitrary websites, including managing many accounts at once. In an agent setting, that materially enables account takeover, lateral session reuse, and unauthorized impersonation even if the author frames it as productivity tooling.

Ssd 4

High
Confidence
98% confidence
Finding
The `cookie-use as <id> ...` workflow lets an agent execute downstream browser actions under another stored account's authenticated session. That moves beyond passive storage into active impersonation, allowing the agent to perform actions as any saved identity without reauthentication.

Ssd 4

High
Confidence
99% confidence
Finding
The localhost replay example instructs users to transplant production authentication material, including cookies and optionally localStorage, onto a different origin. This weakens normal browser origin boundaries and can expose production sessions to insecure local environments, developer tooling, malware, or unintended backend mixes.

Ssd 4

High
Confidence
98% confidence
Finding
The example normalizes bypassing confirmation with `COOKIE_USE_YES=1` while operating as one of many accounts, which is especially risky for autonomous agents. It reduces friction for mass account impersonation and makes accidental or unauthorized actions under stored sessions much more likely.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
#                             "http://localhost:8001"); pair with --rewrite-domain.
#   --no-localstorage         skip injecting the account's captured localStorage
#                             (injected by default when present and a page opens).
#   --no-confirm              skip the Touch ID / TTY gate before injecting.

# Cross-origin QA sugar: replay a captured session onto a local dev origin.
cookie-use replay <id> --to localhost:8001    # = use --rewrite-domain localhost
Confidence
93% confidence
Finding
--no-confirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Injecting a live session is the dangerous action, so `use` / `switch` / `replay`
/ `as` confirm before they inject: **Touch ID** on macOS (LocalAuthentication),
falling back to a TTY y/N prompt. An agent driving the CLI non-interactively
must either pass `--no-confirm` or set `COOKIE_USE_YES=1`; without a bypass,
injection is *refused* in a non-interactive shell rather than proceeding
silently.
Confidence
95% confidence
Finding
--no-confirm

Credential Access

High
Category
Privilege Escalation
Content
- `COOKIE_USE_YES=1` — bypass the injection confirmation (agent / automation).
- `COOKIE_USE_VAULT_KEY` — base64 of a 32-byte key; used directly instead of the
  macOS Keychain. For headless / CI / agent hosts with no login Keychain (the
  caller owns key custody). Without it, the key lives in the Keychain.
- `COOKIE_USE_VAULT` — override the vault file path (multiple isolated vaults,
  headless hosts, tests). Defaults to `~/.cookie-use/vault.enc`.
Confidence
72% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
- `COOKIE_USE_YES=1` — bypass the injection confirmation (agent / automation).
- `COOKIE_USE_VAULT_KEY` — base64 of a 32-byte key; used directly instead of the
  macOS Keychain. For headless / CI / agent hosts with no login Keychain (the
  caller owns key custody). Without it, the key lives in the Keychain.
- `COOKIE_USE_VAULT` — override the vault file path (multiple isolated vaults,
  headless hosts, tests). Defaults to `~/.cookie-use/vault.enc`.
Confidence
72% confidence
Finding
Keychain

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#                             "http://localhost:8001"); pair with --rewrite-domain.
#   --no-localstorage         skip injecting the account's captured localStorage
#                             (injected by default when present and a page opens).
#   --no-confirm              skip the Touch ID / TTY gate before injecting.

# Cross-origin QA sugar: replay a captured session onto a local dev origin.
cookie-use replay <id> --to localhost:8001    # = use --rewrite-domain localhost
Confidence
94% confidence
Finding
--no-confirm

Tool Parameter Abuse

High
Category
Tool Misuse
Content
Injecting a live session is the dangerous action, so `use` / `switch` / `replay`
/ `as` confirm before they inject: **Touch ID** on macOS (LocalAuthentication),
falling back to a TTY y/N prompt. An agent driving the CLI non-interactively
must either pass `--no-confirm` or set `COOKIE_USE_YES=1`; without a bypass,
injection is *refused* in a non-interactive shell rather than proceeding
silently.
Confidence
95% confidence
Finding
--no-confirm

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.