My Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent browser automation/recording skill, but its recordings, traces, and saved sessions can contain sensitive login data.

Install only if you are comfortable letting the skill record browser workflows and reuse logged-in browser sessions. Treat generated recordings, traces, screenshots, and session-state files like secrets: store them privately, do not commit or share them, avoid recording sensitive accounts unless necessary, and delete artifacts when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents saving and loading authenticated browser session state without warning that the state file may contain cookies, tokens, or other reusable authentication artifacts. In an agent context, this can lead to accidental persistence, reuse, or exfiltration of sensitive credentials across tasks or users.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The recording and tracing features capture page contents and explicitly preserve cookies/storage from the active session, yet the skill provides no privacy or data-handling warning. This creates a realistic risk of recording sensitive data, authenticated content, or tokens into artifacts that may later be shared or retained insecurely.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal