Back to skill

Security audit

Babata Browser

Security checks across malware telemetry and agentic risk

Overview

This is an openly disclosed stealth browser automation skill, but its anti-detection focus and broad page-control features need careful review before installation.

Install only if you intentionally need this level of browser automation and are authorized to automate the target sites. Prefer the Playwright backend for normal browsing, avoid real credentials on untrusted pages, review any JavaScript or form-submission task before running it, and do not use the anti-detection mode to bypass site rules or protective controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill exposes a generic `execute_js` capability that will run arbitrary JavaScript in the context of whatever page is open. In a browser automation skill, this bypasses higher-level safety boundaries and can be used to alter page state, exfiltrate DOM data, trigger hidden actions, or interact with sites in ways not covered by the stated purpose.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The header markets the tool as 'scan-first, act-second' and lightweight browser automation, but the implementation includes state-changing capabilities such as clicking, filling, searching, and login submission. That mismatch can cause downstream agents or users to trust the skill as observational when it can actually perform authenticated or transactional actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`login_if_needed` automatically fills credentials into any detected matching fields and submits the form without origin validation, user confirmation, or phishing protections. In an agent setting, that creates a meaningful risk of credential disclosure to the wrong site or unintended authentication actions on attacker-controlled pages.

Ssd 2

Medium
Confidence
97% confidence
Finding
The skill prominently advertises 'anti-detection' and 'stealth Chromium,' which frames the tool around evading bot-detection controls rather than ordinary browser automation. In context, this materially increases abuse potential for scraping protected sites, bypassing access controls, and conducting deceptive automated interactions on government or guarded web properties.

Ssd 2

Medium
Confidence
98% confidence
Finding
Claims such as 'reCAPTCHA v3: 0.9,' 'Cloudflare Turnstile: PASS,' and '30/30 bot tests' explicitly benchmark the system's ability to get past anti-automation defenses. That is dangerous because it encourages and operationalizes misuse by signaling effectiveness for evasion against third-party security controls.

Ssd 2

Medium
Confidence
96% confidence
Finding
The installation instructions explicitly recommend the anti-detection backend, normalizing evasive configuration as the preferred path. This lowers the barrier to misuse and makes the documentation more dangerous because it operationalizes stealth behavior in a turnkey way.

Ssd 3

Medium
Confidence
89% confidence
Finding
The natural-language interface can navigate to arbitrary user-specified sites and extract text, links, tables, or screenshots with no domain restrictions, sensitive-content checks, or policy guardrails. In an agent environment, this broad scraping capability can be abused to collect sensitive page contents, including authenticated or internal data visible to the browser session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.