Tap

The 'tap' skill bundle provides extensive browser automation capabilities, including direct page manipulation (typing, clicking) and network requests via a Chrome extension requiring high-privilege 'debugger' permissions. A significant risk is identified in SKILL.md, which describes a 'tap install' command that fetches and executes external JavaScript 'skills' from a remote GitHub repository (LeonTing1010/tap-skills), creating a supply chain/RCE vector. While these capabilities are aligned with the stated purpose of deterministic automation, the combination of broad browser control and remote script execution is inherently high-risk.