Back to skill

Security audit

Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate browser automation skill, but it gives broad browser/session authority and includes under-scoped guidance around saved logins, proxies, recordings, and TLS bypasses.

Install only if you need broad browser automation and trust the local agent-browser executable. Use it only on sites and accounts you are authorized to automate, avoid proxy-based rate-limit or ban evasion, prefer test or least-privilege accounts, and protect or delete saved state files, recordings, screenshots, PDFs, and extracted page data because they may contain credentials, sessions, or private information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation explicitly recommends rotating proxies 'to avoid rate limiting' for scraping, which normalizes evasive behavior that can facilitate abuse of third-party services and bypass operator controls. In the context of a browser automation skill, this expands usage from legitimate testing into operational guidance for stealthier mass scraping, making misuse easier.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description is broad enough to activate on many ordinary browsing, testing, form-filling, and information-extraction requests, which can cause the agent to invoke a high-capability browser tool more often than necessary. Because this skill can navigate arbitrary URLs, access browser state, and manipulate pages, overbroad routing increases the chance of unintended data exposure or unsafe web interaction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes powerful features for handling credentials, cookies, local storage, proxies, network interception, CDP connections, JavaScript evaluation, file access, and saved auth state without corresponding safety boundaries or privacy warnings. In a browser automation skill, these capabilities materially increase the risk of credential leakage, session-token theft, unsafe local-file access, deceptive traffic manipulation, or persistence of sensitive browser state if an agent uses them without strict controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example instructs saving authenticated browser state to a file immediately after login, but the warning that state files contain reusable session tokens appears much later in the document rather than adjacent to the risky action. Readers may copy the snippet as-is, leaving a bearer-equivalent session artifact on disk that can be reused by anyone with filesystem or repository access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OAuth/SSO flow saves post-login browser state after a federated authentication sequence without warning that the resulting file may preserve access to the relying party session and potentially linked third-party session artifacts. In a browser automation skill, this is especially sensitive because such examples are likely to be reused in CI, shared workspaces, or debugging contexts where token-bearing files may persist unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cookie-based authentication example demonstrates injecting a raw session token directly into the browser without warning that this token is effectively account access material. If copied into shell history, logs, screenshots, shared docs, or persisted scripts, the token can be replayed to hijack the authenticated session.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Embedding proxy credentials directly in environment-variable commands exposes secrets through shell history, process listings, logs, CI output, and inherited environments. Because this skill is for browser automation, users are likely to run such commands in shared developer or CI environments where credential leakage is realistic.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The SOCKS5 authentication example also places credentials directly in a command-visible URL, creating the same risk of credential disclosure via terminal history, environment inspection, process metadata, and logs. Providing this as copy-paste documentation increases the chance users will adopt an unsafe secret-handling pattern.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Advising users to open sites with '--ignore-https-errors' weakens certificate validation and enables man-in-the-middle interception, content tampering, and silent data exposure when using untrusted or SSL-inspecting proxies. The existing note is too weak for a browser automation tool, because users may automate logins, form submission, and sensitive data collection over those sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation encourages recording full browser sessions, including examples that fill login forms and passwords, but never warns that the resulting videos may capture credentials, session data, personal information, or other sensitive page content. In this skill context, the risk is elevated because the tool is explicitly used for web testing, form filling, and CI evidence collection, making it likely that recordings will be stored, shared, or uploaded as artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.