Back to skill

Security audit

Stagehand Browser CLI

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate browser automation skill, but it gives broad browser control with persistent sessions, automatic downloads, and possible remote browsing without per-task consent.

Install only if you trust the publisher and can verify the actual CLI source and dependencies. Use a dedicated browser profile, avoid saved passwords or sensitive accounts, choose local versus Browserbase deliberately, confirm before submitting forms or downloading files, and periodically clear .chrome-profile, screenshots, downloads, and cache data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The login example instructs users to enter credentials and explicitly notes that Chrome's user profile may preserve session cookies between runs, but it does not provide a clear warning about credential handling, session persistence, or privacy risks. In a browser automation skill, this increases the chance of accidental credential exposure, unintended account reuse, or cross-task access via leftover authenticated sessions.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The download example states that files are automatically written to a local directory, but it does not clearly warn users before the workflow that navigating to a file URL will create local artifacts. In a browser automation context, silent or poorly signposted file writes can lead to unexpected storage of sensitive, malicious, or unwanted content on the host system.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description is broad enough to trigger on many ordinary browsing-related requests, which increases the chance the agent invokes this skill in situations the user did not clearly intend. Because the skill can navigate, extract data, fill forms, and interact with web applications, overbroad activation expands the attack surface for unintended web actions and data exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill silently switches to a remote Browserbase environment when API keys are present and explicitly states there is no user prompting. That means browsing activity, page contents, form inputs, and potentially sensitive session data may be transmitted to a third-party service without user awareness or consent, creating a significant privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.