Back to skill

Security audit

Browser Automation CLI

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is purpose-aligned, but it gives the agent broad live-browser control with remote execution, session persistence, and automatic downloads that need user review.

Install only if you are comfortable giving the agent broad browser control. Before sensitive use, confirm whether Browserbase remote mode is active, avoid entering real passwords unless necessary, use isolated or cleared browser profiles, review screenshots for sensitive content, and treat files in ./agent/downloads as untrusted until verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The example explicitly documents downloading remote content and automatically writing it to a local directory, which expands the skill from browser interaction into local file materialization. That creates risk of unintended storage of malicious, sensitive, or policy-violating files, especially if users do not realize downloads happen automatically.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The login example instructs entering credentials and notes that a Chrome profile may preserve session cookies between runs, but does not clearly warn about credential exposure, account misuse, or persistence of authenticated state. This can lead users to submit secrets into third-party sites and leave reusable sessions on disk for later access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The form-submission example directs the agent to fill and submit personally identifying information to a third-party website without a clear notice that data will be transmitted externally. Users may not appreciate that the automation is not just drafting text but actually sending personal data off-platform.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The file-download example omits a clear warning that visiting the URL will automatically write content to local storage. Even if the capability is intended, users should be told that artifacts will be persisted locally because this affects privacy, storage hygiene, and handling of untrusted content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference explicitly documents that downloads are saved automatically and that browser state, including cookies and saved credentials, persists in a shared profile, but it does not present a prominent upfront warning or safety guidance before describing normal usage. In a browser automation skill, this can lead users or upstream agents to unknowingly store sensitive session data and fetch untrusted files onto the host, increasing risk of credential leakage, cross-task session reuse, and unsafe file handling.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is broad enough to activate on many browsing-related requests without clearly bounding risky actions. In a browser automation skill, overbroad triggers increase the chance the agent invokes a capability that can click buttons, submit forms, or interact with authenticated sessions when the user only intended read-only browsing or data lookup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description advertises form filling, button clicking, and web-app interaction but does not warn that these actions can modify live accounts, submit data, or trigger irreversible changes. Users and upstream agents may treat the skill as routine browsing, creating a safety gap where state-changing actions occur without explicit acknowledgement of the risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill silently switches to a remote Browserbase environment whenever API keys are present, without warning that visited URLs, page content, form inputs, screenshots, and session activity may be processed by a third-party service. In the context of browser automation, this materially increases privacy and data-handling risk because sensitive browsing tasks may leave the local machine unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.