Back to skill

Security audit

Agent Browser - Stagehand

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill appears purpose-built, not malicious, but it needs Review because it gives broad browser control with persistent sessions, automatic downloads, internal-network access, and automatic remote-browser use without strong runtime guardrails.

Install only if you are comfortable giving an agent broad browser-control authority. Use isolated browser profiles for sensitive accounts, avoid saving passwords, confirm before submissions, purchases, account changes, downloads, or Browserbase remote sessions, and clear .chrome-profile, screenshots, and ./agent/downloads/ when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The login example instructs users to enter credentials and notes that Chrome's user profile may preserve session cookies between runs, but it does not clearly warn about credential handling, session persistence, or privacy risks. In a browser automation skill, this can lead to unintended retention of secrets or authenticated sessions that may be reused by later tasks or exposed through screenshots, logs, or shared environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The download example states that files are automatically written to './agent/downloads/' but does not prominently warn about the security implications of automatic disk writes. In a browser automation context, this can cause users to fetch untrusted content to local storage without realizing it, increasing risk of sensitive data accumulation, malware delivery, or unsafe downstream processing of downloaded files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill silently switches between local and remote execution based on detected configuration, with no user warning about where browsing activity and page data will be processed. This can expose sensitive browsing content, cookies, form inputs, or internal URLs to a third-party remote environment when the user reasonably expects local execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.