Back to skill

Security audit

browseanything ai browser agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real hosted browser-automation skill, but it can act in logged-in web sessions, submit forms or purchases, and send sensitive browsing data to a third-party service with insufficient safeguards.

Review carefully before installing. Use it only for websites and accounts you are authorized to automate, avoid sensitive accounts unless necessary, do not put passwords or secrets in prompts, prefer scoped saved sessions, and require explicit confirmation before submissions, purchases, checkouts, account changes, CAPTCHA or MFA handling, or exporting private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes code paths that use environment variables and make outbound network requests, yet it does not declare equivalent permissions or constraints. In a web-automation skill that can log into apps, scrape authenticated content, and submit actions to a hosted third-party service, this mismatch weakens policy enforcement and can cause users or orchestrators to invoke a capability set broader than they intended.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example explicitly instructs the agent to fill and submit a live form and only verify the thank-you page afterward, with no caution to pause before submission or require user confirmation. In a browser-automation skill whose purpose is to interact with real websites, this normalizes user-data-affecting actions and can lead to unintended submissions, spam, disclosure of personal data, or triggering external workflows.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README says the skill auto-triggers on very broad phrases such as browsing, scraping, logging in, and filling forms, without clearly documenting limits, confirmation requirements, or sensitive-action exclusions. In a browser automation skill, that increases the chance an agent invokes powerful web actions unintentionally, including account access, data extraction, or form submission on third-party sites.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes capabilities to click, type, solve CAPTCHAs, and log into sites, but omits safety guidance around credential handling, privacy, consent, and risks of acting on external websites. Because this skill is specifically designed to operate real browser sessions against live services, missing warnings and handling rules materially increase the risk of secret exposure, unauthorized access, and unintended transactions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference explicitly shows live key formats (`ba_live_...`) and accepted auth headers but provides no guidance on secret handling, redaction, or avoiding inclusion in logs and prompts. In a skill designed to drive a remote browsing platform, missing secret-safety guidance increases the chance that operators or downstream wrappers expose API credentials in code, telemetry, screenshots, or error output.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The task creation example includes identifiable metadata (`user: "alice"`) without any warning that metadata is stored, returned later, and potentially propagated to logs, dashboards, or webhooks. Because this skill handles authenticated browsing and user-directed actions, encouraging arbitrary metadata without privacy guidance can lead to unnecessary collection or disclosure of personal data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are extremely broad and include common requests like 'browse', 'use the web', 'look up something live', 'log in and...', and 'buy', making accidental invocation likely. In this skill, accidental invocation is more dangerous than usual because it can drive a real browser, access authenticated sessions, and perform side-effecting actions through an external service.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The instruction to trigger the skill 'whenever the task requires the live web' is ambiguous and under-specified, leaving too much discretion for automatic routing. Because this skill delegates to an autonomous browser agent with CAPTCHA solving, login handling, and transaction-like capabilities, ambiguous routing can expose credentials, authenticated data, or cause unintended external actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.