Brower Opener

Security checks across malware telemetry and agentic risk

Overview

This skill is a real browser automation helper, but it defaults to opening the user's logged-in Chrome profile with remote debugging and may kill browser or port-using processes without confirmation.

Install only if you intentionally want an agent to control a Chrome debugging session that can use your logged-in sites. Prefer independent mode or a dedicated test profile/account, save browser work first, and avoid using this around sensitive personal or production sessions until it requires explicit consent for profile reuse and process termination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 启动 Chrome（非阻塞） try: if system == "windows": subprocess.Popen( cmd, creationflags=creation_flags, stdout=subprocess.DEVNULL,
Confidence: 92% confidence
Finding: subprocess.Popen( cmd, creationflags=creation_flags, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, s

subprocess module call

Medium

Category: Dangerous Code Execution
Content: start_new_session=True ) else: subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 92% confidence
Finding: subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print("[WARNING] Closing all Chrome processes...") if system == "windows": try: subprocess.run( ["taskkill", "/F", "/IM", "chrome.exe"], capture_output=True, timeout=10
Confidence: 96% confidence
Finding: subprocess.run( ["taskkill", "/F", "/IM", "chrome.exe"], capture_output=True, timeout=10 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: pass else: try: subprocess.run( ["pkill", "-f", "chrome"], capture_output=True, timeout=10
Confidence: 96% confidence
Finding: subprocess.run( ["pkill", "-f", "chrome"], capture_output=True, timeout=10 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 启动 Chrome（非阻塞） try: if system == "windows": subprocess.Popen( cmd, creationflags=subprocess.CREATE_NEW_PROCESS_GROUP, stdout=subprocess.DEVNULL,
Confidence: 93% confidence
Finding: subprocess.Popen( cmd, creationflags=subprocess.CREATE_NEW_PROCESS_GROUP, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNU

subprocess module call

Medium

Category: Dangerous Code Execution
Content: start_new_session=True ) else: subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 93% confidence
Finding: subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=True )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if len(parts) >= 5: pid = parts[-1] try: subprocess.run( ["taskkill", "/F", "/PID", pid], capture_output=True, timeout=5
Confidence: 91% confidence
Finding: subprocess.run( ["taskkill", "/F", "/PID", pid], capture_output=True, timeou

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script unconditionally enumerates and force-kills any process listening on TCP port 9222 using kill -9 or fuser -k, without validating that the process is the browser instance it intends to manage. This grants the skill broader host-process control than necessary and can disrupt unrelated tools, developer workflows, or security services that happen to use that port.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script kills any process listening on port 9222 and then broadly terminates all Chrome processes before launching a new browser. That exceeds the expected scope of a helper tool and can disrupt unrelated applications, destroy user state, or terminate other debugging sessions without verifying ownership of the process.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Using kill -9 and broad pkill patterns is unnecessarily destructive for a browser launch utility because it force-terminates processes without graceful shutdown or precise targeting. This can cause data loss in open browser sessions, interrupt unrelated workloads, and potentially kill processes whose names happen to match the pattern.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes launching Chrome with the user's main profile and reusing cookies for automated testing, but it does not warn that this exposes authenticated sessions, stored credentials, and other profile data to any process that can drive the debugging session. In the context of AI-driven browser automation, this materially increases the chance of unintended account actions, data exposure, or cross-site session abuse.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README instructs users to expose Chrome's remote debugging endpoint on port 9222 and then connect automation to it, but it does not explain that CDP grants near-complete browser control, including page navigation, script execution, and access to session-bearing contexts. Even though the example binds to 127.0.0.1, local malware, other users on the host, or untrusted tools running in the same environment could hijack the browser session.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad everyday requests like '打开浏览器' and '启动浏览器', making accidental activation likely in normal conversation. In this skill, accidental activation is security-relevant because the action launches Chrome in a remote-debuggable state and may reuse an authenticated profile.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The default behavior sends all unspecified cases into cookie-reuse mode without confirmation. That means ambiguous requests can cause the agent to open a browser tied to the user's existing authenticated profile, increasing the chance of unintended access to live sessions and sensitive data through the DevTools interface.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The workflow states the skill will automatically close processes occupying port 9222, but the destructive impact is not presented as an upfront blocking warning before activation. This can terminate unrelated local applications or existing browser debugging sessions, causing data loss or disruption.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script kills whatever is using port 9222 without confirming with the user or verifying ownership. In a desktop automation skill, this can disrupt unrelated local services and cause data loss or workflow interruption.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Reuse mode intentionally force-terminates all Chrome processes before relaunching. In this skill context, that is dangerous because it affects the user's main browser, can destroy unsaved work, and may disrupt active authenticated sessions across unrelated tasks.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Forcefully terminating processes on port 9222 without user confirmation is dangerous because it can interrupt unrelated applications and cause loss of state or work. In the context of an agent skill, this is more concerning because a user asking to 'open a browser' would not reasonably expect the tool to kill other local processes automatically.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal