Back to skill

Security audit

Web Qa Bot

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web testing tool, but crafted test or report inputs can reach unsafe shell commands on the local machine.

Install only if you trust every suite file, URL, selector, key, screenshot name, report output path, and company/report value passed to it. Avoid running untrusted YAML/JSON suites or PDF report options until shell-based execSync calls are replaced with argument-vector execution and input validation. Treat screenshots, console logs, reports, and authenticated browser sessions as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill’s declared purpose is narrow QA automation, but the documented behavior expands into general browser automation, external process interaction, report generation, and potentially arbitrary scripted actions via test suites. That mismatch is dangerous because operators may grant the skill more trust and permissions than intended, increasing the chance of misuse, unsafe execution against sensitive targets, or unexpected side effects on the local system and connected browser sessions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The evaluate() method exposes arbitrary JavaScript execution in the loaded page context, which is broader than the skill's stated QA-focused purpose and can be misused to perform actions beyond testing, such as reading DOM data, local storage, or triggering sensitive workflows in authenticated sessions. In an agent-integrated skill, this increases the blast radius because any upstream prompt or tool input that reaches this method can become active page code execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The exec() helper builds a shell command by concatenating arguments into a single string and passes it to execSync(), which invokes a shell. Because several callers pass potentially variable inputs such as URLs, refs, keys, filenames, and scripts, this creates command-injection risk if any of those values can contain shell metacharacters; limited quote escaping in some paths is not comprehensive or consistent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The shell command is built via string interpolation using attacker-influenced values such as mdPath, options.output, and company, then passed to execSync. Because double quotes in those values are not escaped, a crafted value can break out of quoting and inject arbitrary shell commands, leading to command execution on the host during report generation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"node": ">=18.0.0"
  },
  "dependencies": {
    "yaml": "^2.3.4"
  },
  "devDependencies": {
    "@types/node": "^20.10.0",
Confidence
88% confidence
Finding
"yaml": "^2.3.4"

Known Vulnerable Dependency: yaml==2.3.4 — 1 advisory(ies): CVE-2026-33532 (yaml is vulnerable to Stack Overflow via deeply nested YAML collections)

Low
Category
Supply Chain
Confidence
94% confidence
Finding
yaml==2.3.4

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/browser.ts:46

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/reporter.ts:173