Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it gives an agent powerful authenticated browsing, cookie, JavaScript, recording, upload, and proxy capabilities with insufficient safety boundaries.

Install only if you trust inference.sh and need agentic browser automation. Use it only on sites and accounts you are authorized to automate, avoid exporting or logging cookies, review any JavaScript before execution, keep recordings off around sensitive pages, upload only approved files, use trusted proxies, avoid rate-limit evasion, and close sessions promptly.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The 2FA example invokes a local subprocess (`oathtool`) and relies on a locally available secret (`TOTP_SECRET`), extending the skill guidance beyond browser automation into local secret handling and command execution. In an agent setting, this can normalize access to local secrets and host capabilities that may not be expected or safely sandboxed, increasing the chance of credential misuse or unintended privilege expansion.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The document explicitly teaches extracting authenticated cookies for reuse in other tools, which turns the browser session into a credential export mechanism. Even when limited to non-HttpOnly cookies via `document.cookie`, this can expose session material and enable account hijacking or cross-tool credential leakage if copied, logged, or consumed by less-trusted components.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The comment claims JavaScript can retrieve HttpOnly cookies, which is technically false and can mislead users into thinking the skill can access more session material than browsers permit. This misunderstanding is dangerous because it encourages unsafe authentication handling patterns and may cause operators to overtrust cookie extraction workflows or attempt broader credential harvesting behavior.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The security guidance recommends reading secrets from local files and a secrets manager, which introduces host-level file and secret-access patterns not inherent to browser automation. In an agent skill, this broadens the implied trust boundary and may prompt deployments to grant filesystem or secret-store access to a browser-focused tool, increasing the blast radius of compromise or misuse.

Vague Triggers

Medium

Confidence: 97% confidence
Finding: The manifest description includes very broad trigger phrases such as 'browser', 'browse web', 'research', and 'click', which can cause the skill to be invoked for ordinary user requests that do not clearly imply consent for powerful browser automation. In this skill's context, that is more dangerous because it can navigate websites, upload files, execute JavaScript, use proxies, and record video, making accidental or over-broad activation privacy- and integrity-impacting.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill advertises sensitive capabilities including file upload, JavaScript execution, proxy routing, and video recording, but the description provides no warning that these actions can expose local data, alter remote state, capture secrets, or route traffic through third parties. Given this is a browser automation skill, missing warnings materially increases the chance that an agent or user will invoke dangerous actions without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The cookie extraction section lacks an explicit warning that exported cookies may function as live authenticated session credentials and should not be shared with other tools by default. In the context of an agent browser skill, this omission makes the guidance more dangerous because the skill already operates on authenticated web sessions, so users may unknowingly exfiltrate reusable session data into logs, pipelines, or lower-trust tools.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documented browser functions expose screenshots, page text, DOM state, and optional video recording, which can capture credentials, personal data, session-specific content, or other sensitive information from visited pages. In an agent-browser skill, this is contextually more dangerous because the tool is explicitly designed for autonomous browsing and scraping, yet the documentation provides no privacy, consent, retention, or sensitive-data handling guidance to constrain misuse or accidental over-collection.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The execute function permits arbitrary JavaScript to run in the context of whatever page the browser has loaded, enabling extraction or manipulation of page content beyond normal documented interactions. In this skill's context, that materially increases risk because an autonomous agent can inspect DOM data, trigger actions, alter forms, or access sensitive in-page state, yet the documentation lacks warnings, restrictions, or examples of safe usage boundaries.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The authenticated proxy example shows a literal username and password in command input without an immediate warning about secret handling, which can normalize unsafe practices such as hardcoding credentials in scripts, shell history, logs, or shared documentation. In an agent-browser skill that routes all web traffic through a proxy, exposed proxy credentials can grant unauthorized network access and visibility into browsing activity.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The corporate proxy example uses credential-bearing environment variables, which is better than hardcoding, but it omits a warning that both requests and authentication are being sent through enterprise proxy infrastructure that may inspect, log, or modify traffic. In this browser automation context, that can expose sensitive browsing targets, session data, and credentials to intermediary systems if operators misunderstand the trust boundary.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explains that sessions persist cookies, storage, history, page state, and video buffers across calls, but does not warn that these artifacts may contain authentication tokens, personal data, or other sensitive browser state. In a browser-automation skill, this omission can lead users to reuse sessions unsafely, leak credentials between tasks, or fail to close sessions promptly, increasing exposure of sensitive data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly recommends using raw JavaScript to interact with hidden elements when they are not present in the safe snapshot model. In a browser-automation skill, this bypasses the guardrails implied by the ref-based interaction system and can encourage unsafe direct DOM execution, enabling agents to click concealed UI, trigger unintended actions, or interact with elements the safety model intentionally filtered out.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation actively promotes session-wide video recording and includes examples for debugging, CI artifacts, and audit archiving without prominently warning that recordings can capture credentials, personal data, tokens, admin screens, and other sensitive on-screen content. In a browser-automation skill, this is particularly risky because agents may navigate authenticated sessions and privileged interfaces, so users may enable recording by default and inadvertently retain or exfiltrate sensitive data.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This workflow is explicitly designed to capture screenshots, page text, links, and optional video from arbitrary URLs, but it provides no consent gate, sensitivity warning, domain restriction, or data-minimization control. In an agent-browser context, that makes accidental collection of credentials, personal data, internal dashboards, or other sensitive content more likely, especially if an agent is pointed at authenticated or private pages.

Ssd 2

Medium

Confidence: 98% confidence
Finding: The section explicitly frames proxy rotation as a way to avoid rate limits while scraping, which encourages bypassing service-imposed access controls and anti-abuse mechanisms. Because this is an agent-browser automation skill with scraping and JavaScript execution capabilities, the guidance materially increases the likelihood of abusive collection at scale and can facilitate terms-of-service violations, blocking evasion, or broader unauthorized data harvesting.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal