Back to skill

Security audit

Oto Sessions

Security checks across malware telemetry and agentic risk

Overview

This skill appears to manage logged-in browser sessions, but it under-explains the credential-like risk of saved sessions and exposes powerful browser-control details.

Review before installing. Use only on a trusted, single-user machine, avoid banking/email/admin accounts unless you fully accept the risk, do not share or commit saved session files or logs, and delete saved sessions when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger scope is extremely broad: it claims applicability to 'any task requiring authenticated browser access,' which can cause the agent to invoke this skill in many unrelated contexts involving sensitive logged-in sessions. In practice, this increases the chance of credential-bearing browser automation being used without adequate task-specific consent, data-minimization, or site-specific safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes saving and reusing authenticated sessions but does not clearly warn that these session artifacts may contain cookies, local storage, and other bearer-style authentication material equivalent to account access. Without a prominent warning, users may underestimate the sensitivity of the stored data and reuse the skill in higher-risk environments or on shared machines.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly encourages inspecting a saved session JSON file that likely contains cookies, tokens, and other authenticated browser state, but it does not warn that this data is highly sensitive. In an agent/automation context, users may copy, log, or share that output, which can enable session hijacking or unauthorized account access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide instructs users to save authenticated browser sessions containing cookies and browser storage, which can often function as bearer tokens for account access. Without an explicit warning about the sensitivity of these files, users may mishandle, copy, back up, or expose them, leading to account takeover of services like Amazon, PayPal, Shopify, or Twilio.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script prints a live browser WebSocket endpoint and derived DevTools URL to stdout, which effectively grants remote control over an authenticated browser session to any caller or log consumer that can read the output. In automation contexts, stdout is often captured by parent processes, CI logs, shell history, or monitoring systems, so exposing these connection details without strong access controls can leak a powerful session capability.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/launch-session.js:13