Back to skill

Security audit

Gstack

Security checks across malware telemetry and agentic risk

Overview

Gstack is a coherent engineering automation suite, but it needs Review because it can import real browser sessions, mutate repositories, auto-update itself, and persist workflow data.

Install only if you are comfortable granting this package high trust over your development environment. Treat imported browser cookies as account credentials, use cookie import only for specific domains you intentionally want to test, avoid auto-upgrade unless you trust future upstream changes, and review /ship and /document-release carefully before using them on sensitive repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (126)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a QA browser tool, but it also exposes powerful capabilities that materially expand risk: arbitrary JS execution, local file-based eval, browser cookie import, direct storage manipulation, custom headers, and persistent logging/state. That mismatch can mislead users into granting trust to a tool that can access sensitive authenticated data and alter browser context beyond ordinary testing.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented command set goes beyond passive QA browsing and includes arbitrary JavaScript execution (`js`) and file-based script evaluation (`eval`) in the page context. In an agent skill, this materially expands the capability from testing to active code execution against authenticated web sessions, enabling data extraction, state-changing actions, or abuse of trusted browser context.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Importing cookies from files or real browsers exceeds the stated QA/dogfooding scope and gives the tool access to live authenticated sessions. That allows the skill to impersonate users across sites and access sensitive data or perform actions without reauthentication, which is especially dangerous in an agent-controlled browser.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation explicitly describes decrypting cookies from installed Chromium browsers using OS keychain material. This is credential access behavior unrelated to ordinary headless QA testing and can be used to harvest session tokens from the host, enabling account takeover or unauthorized access to third-party services.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
An interactive cookie-picker HTTP UI adds a secondary interface for browsing, selecting, importing, and removing sensitive browser cookies. This auxiliary capability increases attack surface and normalizes handling of authentication data in a skill whose stated purpose is headless QA automation.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The changelog describes behaviors far outside the declared scope of a QA/browser-testing skill, including self-upgrade checks, GitHub interactions, config mutation, and documentation automation. That scope expansion is dangerous because users and reviewers may grant trust or permissions based on the manifest description while the skill performs broader project-affecting actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic release-documentation updates are unrelated to headless browser QA and imply the skill may read and modify many repository files beyond testing a site. In the context of a QA-branded skill, this creates deceptive capability scope and increases the chance of unintended or unauthorized repository changes.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README documents cookie decryption/import from local Chromium profiles, which exceeds the stated browser-QA purpose in the provided skill metadata. Accessing real browser sessions materially expands the trust boundary from test automation into credential/session handling, enabling unauthorized access to authenticated services if the capability is invoked carelessly or by a compromised workflow.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this is a headless browser QA/testing tool, but the README describes a broader suite that can review code, push branches, open PRs, rewrite docs, and analyze contributor activity. That mismatch is dangerous because users may grant browser-testing trust to a package that also performs repository-modifying and workflow-automation actions they did not expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Cookie decryption/import from local Chromium browsers is a highly sensitive capability for a tool presented as QA/testing. It provides access to existing authenticated sessions and can bypass normal login and MFA flows, making accidental misuse or malicious repurposing significantly more damaging than ordinary browser automation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Automatic PR interaction and persistent history tracking are not inherently malicious, but they are outside the scope implied by the browser-QA metadata and create side effects on external systems and local state. This increases risk of unintended repository changes, privacy leakage, and hidden behavioral persistence across runs.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
Contributor mode instructs the agent to write local field-report files during normal skill use, which is unrelated to the user's requested browser task and causes side effects on the host filesystem. Even if intended for product improvement, it creates unrequested persistence and can leak task context, errors, URLs, or other sensitive details into local logs.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The setup path installs external software via a curl-piped shell command, which executes remote code fetched at runtime. This is a high-risk pattern because compromise of the remote source, transport chain, or installer script can lead to arbitrary code execution on the host.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to install Bun by piping a remote script directly into bash. That creates arbitrary code execution from the network during setup, which is broader and riskier than the stated QA-browsing purpose and gives the remote host full script control at install time.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill exposes a command to import cookies directly from local desktop browsers, enabling reuse of existing authenticated sessions. In an agent context, this can bypass normal login boundaries and grant access to unrelated accounts or sensitive web sessions present on the machine.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This module is explicitly designed to locate, decrypt, and return cookies from real installed Chromium-family browsers using macOS Keychain material. That capability exceeds the declared scope of a headless QA/browser automation skill and enables session-token extraction from unrelated user browsing contexts, which can lead to account takeover and privacy compromise.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code invokes the macOS `security` tool to read browser Safe Storage secrets from Keychain and derives decryption keys for stored browser cookies. Accessing platform credential stores to recover real session cookies is a credential-access capability, not ordinary QA automation, and can be abused to impersonate the user on authenticated services.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The registry enumerates multiple consumer browsers and associates each with its Keychain service and cookie database location, showing intentional support for broad local cookie extraction. In the context of a QA browser skill, this materially increases risk because it targets real user environments rather than isolated automation state.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The code comments claim the routes are 'localhost-only' and unauthenticated by accepted risk, but there is no enforcement that requests originate from loopback and no authentication or CSRF-style protection. Any process or webpage able to reach the service on the bound interface/port could invoke cookie listing, import, and removal endpoints, enabling exposure and manipulation of browser session state.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module header explicitly claims these commands extract data 'without side effects', but the implemented command set includes state-changing behavior elsewhere in the file. This mismatch is security-relevant because callers, policy layers, or human reviewers may permit 'read' operations under weaker trust assumptions, enabling unexpected modification of browser state.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The `storage set` branch writes to `localStorage` from a module presented as read-only. In an agent setting, that can alter application behavior, authentication/session flows, feature flags, consent state, or anti-automation logic while bypassing controls that only allow 'safe read' commands.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill can import decrypted cookies from installed local browsers into the active automation session, which materially expands its access beyond ordinary QA browsing. Browser cookies often grant authenticated access to personal or enterprise accounts, so this capability can enable session hijacking or unauthorized access if invoked on sensitive domains. The skill context makes this more dangerous because a headless browser/testing tool can immediately use imported cookies to act as the user on remote sites.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
These tests confirm the skill supports setting arbitrary cookies and request headers, capabilities not clearly disclosed in the manifest description. In an agent context, that broadens the tool from passive QA/browser interaction into session manipulation and authenticated request shaping, which can enable impersonation, CSRF bypass testing, or access to privileged app states without clear user awareness.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tests demonstrate arbitrary JavaScript execution via direct expressions and local file-backed eval, which is substantially more powerful than the stated browser QA description suggests. In an agent-operated browser, eval can execute active logic in page context, exfiltrate DOM data, interact with authenticated sessions, and combine with local file reads to run attacker-supplied scripts.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Local file-backed eval is a powerful extension beyond ordinary web QA because it lets the tool load script content from disk and run it in the browser context. Even with some path checks, this creates a bridge between local filesystem content and privileged browser state, increasing the risk of executing unintended or attacker-influenced scripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
browse/test/commands.test.ts:621

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/dev-skill.ts:24

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/skill-check.ts:101

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
test/helpers/eval-store.ts:523

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
test/skill-e2e.test.ts:127

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
browse/src/cli.ts:20

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
test/skill-e2e.test.ts:21

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
browse/src/server.ts:33

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
browse/test/cookie-import-browser.test.ts:8