AI浏览器WebSocket控制

Security checks across malware telemetry and agentic risk

Overview

This browser-control skill is not clearly malicious, but it exposes powerful unauthenticated control over a real browser and includes an under-disclosed site-specific helper.

Install only after review and containment. Run it only on a trusted machine, keep the WebSocket and DevTools ports inaccessible from other systems, use a separate browser profile with no sensitive logins, avoid authenticated sites unless you explicitly intend the automation to act there, remove or ignore quick-control.js if the Fanqie workflow is unrelated, and stop the service when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented skill exposes powerful browser automation over WebSocket and includes arbitrary page-script execution (`evaluate`). Combined with the analysis note that it may attach to an existing local Chrome debug session and visit a specific site/login flow, this creates a substantial gap between user expectations and actual capability, enabling access to authenticated browser state, sensitive page contents, and site actions. In this context, browser control is inherently sensitive because it can act as the user on already-logged-in sites.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The code is not a generic browser-control utility as described by the manifest; it hardcodes navigation to a specific writer backend, inspects login state, and explicitly prepares for a publishing workflow. In an agent skill, this hidden site-specific automation increases the risk of unauthorized account actions, misuse of an already logged-in browser session, and deceptive capability scoping that can bypass user expectations and review.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The `evaluate` action lets any connected WebSocket client supply arbitrary JavaScript to run in the browser page context. This enables reading page data, interacting with authenticated sessions, and performing actions far beyond the declared browser automation primitives, effectively turning the service into a remote code execution bridge inside the browser.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation advertises full browser automation, screenshots, DOM extraction, and input/click control without warning that these features can expose credentials, session data, personal content, or trigger real actions on websites. Because the skill controls a real browser, the absence of safety guidance increases the likelihood of unsafe deployment or misuse around authenticated sessions and sensitive pages.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The `evaluate` action permits arbitrary JavaScript execution in the browser context, which can read page data, manipulate forms, exfiltrate tokens visible to page scripts, and trigger privileged actions as the logged-in user. Exposing that capability over a WebSocket control channel without strong warnings or constraints is dangerous because it turns the browser into a remote code execution surface within every visited site context.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Page-script execution is exposed over WebSocket without any confirmation, access control, or safety boundary. A local or proxied client that can connect to the socket can silently run scripts in whatever page the browser has open, including pages with sensitive data or authenticated state.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The `snapshot` action returns input field values and page links, and `screenshot` returns full visual page contents to any connected client. This can exfiltrate credentials, personal data, tokens visible in forms, or confidential on-screen information without any user disclosure or consent mechanism.

Known Vulnerable Dependency: ws==8.14.0 — 2 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure)

High

Category: Supply Chain
Confidence: 97% confidence
Finding: ws==8.14.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal