Security audit

Nstbrowser AI Agent

Security checks across malware telemetry and agentic risk

Overview

This is a real Nstbrowser automation skill, but it exposes high-impact profile, proxy, persistence, and anti-detection controls with unsafe examples and insufficient guardrails.

Install only if you intentionally need Nstbrowser automation and trust the nstbrowser-ai-agent package. Before using it, restrict invocation to explicit Nstbrowser tasks, avoid command-line passwords, review or rewrite the shell templates before running them, and require human confirmation before any delete, clear, reset, stop-all, screenshot, snapshot, debugger, or batch profile operation. Use it only for authorized automation, not to evade access controls or impersonate users.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (23)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger description ends with a broad catch-all phrase covering 'any task requiring Nstbrowser's anti-detection features,' which can cause the skill to activate for a wide range of browser-automation requests beyond a narrowly scoped purpose. Because this skill exposes anti-detection, proxy, profile, and persistence capabilities, over-broad activation increases the chance an agent invokes it in risky contexts such as stealth scraping, account automation, or evasion-oriented browsing.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes profile deletion commands but does not warn that profiles may contain persistent sessions, cookies, local storage, proxies, and other state that can be permanently lost. In an agent setting, omission of a confirmation or backup warning creates a realistic risk of destructive actions being executed automatically or with insufficient user awareness.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill promotes persistent sessions, saved login state, and later data extraction without any privacy, consent, or sensitive-data handling warning. In combination with anti-detection and profile isolation features, this can facilitate collection or reuse of authenticated browsing data in ways that exceed user expectations or policy boundaries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This documentation describes batch cookie/tag clearing operations and cache clearing workflows without prominently warning that they can irreversibly remove session state, login data, or organizational metadata across many profiles at once. In an AI-agent/browser-automation context, that omission is risky because an agent or operator may execute these commands at scale and accidentally disrupt active accounts, invalidate sessions, or destroy profile state needed for recovery.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation exposes destructive profile deletion commands without any caution, confirmation guidance, or recovery notes. In an agent-facing CLI, this increases the chance that an automated workflow or user following examples will permanently delete browser profiles and associated configuration by mistake, especially when multiple IDs can be passed in one command.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The global stop-all command is documented without clearly warning that it terminates every running browser instance, not just the current target. In shared or multi-profile automation contexts, an agent could disrupt unrelated sessions, jobs, or investigations by invoking it based only on the terse reference entry.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cache and cookies clear commands are destructive to local session state but the reference omits warnings about logout effects, session invalidation, and loss of browsing state across one or many profiles. In an automation skill centered on browser profile management, this can cause accidental account disruption or data loss when used in batch operations.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The example places proxy credentials directly on the command line, which commonly exposes secrets through shell history, process listings, terminal recordings, and CI logs. Because this skill is meant for automation and profile management, users are likely to copy these commands verbatim, increasing the chance of credential leakage.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The complete example repeats the unsafe pattern of embedding proxy usernames and passwords inline, normalizing insecure secret handling in a high-likelihood copy/paste scenario. In an automation-focused tool, this can leak long-lived proxy credentials into scripts, logs, shell history, and orchestration systems.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide shows proxy credentials passed directly on the command line via `--username` and `--password`. Command-line arguments can be exposed through shell history, process listings, audit logs, and CI job output, which can leak active proxy secrets to other local users or logging systems.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The manual testing examples embed `user:pass` directly in proxy URLs for `curl`, which can disclose credentials through shell history, process monitors, terminal logs, and pasted command transcripts. Because this is documentation for operational proxy use, readers are likely to copy these examples verbatim, increasing the chance of real credential exposure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The troubleshooting guidance tells users to print `NST_API_KEY` to the terminal and append it directly into `.nstbrowser-ai-agent.env` without warning that both shell history, terminal scrollback, and local files may expose secrets. In a browser automation skill that manages anti-detection profiles and proxy settings, API keys are high-value credentials and their casual handling increases the chance of credential leakage or reuse by unauthorized parties.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The proxy troubleshooting examples embed usernames and passwords directly in CLI flags and URLs such as `http://user:pass@...` without any warning about exposure through shell history, process lists, logs, or copied documentation. Because this skill is specifically for browser fingerprinting, profile management, and proxy configuration, proxy credentials are central operational secrets and leaking them could enable account misuse or traffic hijacking.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation instructs users to enable debug mode and tee all output to `debug.log` for collection and sharing, but it does not warn that debug output may contain API keys, proxy credentials, profile identifiers, local paths, cookies, or other sensitive operational data. This omission is especially risky in a tool that interacts with browser profiles and network configuration, where logs often capture authentication and environment details.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrase "manage browser profiles" is broad enough to match many generic browser or account-management requests that are not specifically about Nstbrowser. In an agent environment, overly broad triggers can cause unintended skill invocation, steering users into a tool that exposes profile, proxy, and anti-detection capabilities beyond what they asked for.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase "batch update profiles" lacks product-specific scope and could match common requests about social, user, browser, or account profiles unrelated to this tool. Because this skill can perform bulk operations, accidental activation increases the risk of unintended mass changes to browser profiles, proxies, or automation settings.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger "start multiple browsers" is very generic and can match ordinary browsing, testing, or development requests that have nothing to do with Nstbrowser. In this skill's context, activation could launch multiple anti-detection browser instances or operational profiles unexpectedly, expanding the chance of misuse or unauthorized automation.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The phrase "browser fingerprinting" is vague and underspecified, and it overlaps with broad topics including privacy education, security research, analytics, and web compatibility. Since this skill is explicitly tied to anti-detection features, a vague trigger can inappropriately route benign discussions into a tool designed to manipulate browser identity characteristics.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The trigger "anti-detection" is especially risky because it is both broad and strongly associated with stealth, evasion, and abuse-oriented browser automation. In the context of a skill that manages proxies, profiles, and fingerprinting, this phrase can attract or auto-match suspicious requests and route them toward capabilities that facilitate concealment of automated activity.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script saves a full page snapshot to a local JSON file, which can include page content, URLs, and structured state derived from an authenticated browser session. In the context of a browser automation tool with profile persistence and anti-detection features, this increases the chance of storing sensitive account data or internal application content on disk without user awareness or access controls.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script writes a screenshot to disk, which may capture sensitive page content such as account details, tokens shown in UI, internal dashboards, or personal information. Because this skill is designed for persistent browser profiles and automated browsing, screenshots may be taken in authenticated contexts, making local disclosure risks more significant.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accepts a proxy password as a command-line argument and then appends it into a shell command string that is executed with eval. Command-line secrets are commonly exposed via shell history, process listings, CI logs, and audit tooling, so proxy credentials may be disclosed to local users or logging systems. In this browser automation context, exposed proxy credentials can enable misuse of the proxy service and compromise operator privacy.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script explicitly accepts proxy usernames and passwords as command-line arguments and later appends them into a constructed command string that is executed. Command-line arguments are commonly exposed through shell history, process listings, CI logs, and audit tooling, so proxy credentials can be unintentionally disclosed to other local users or logging systems.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal