Web Research Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real web research skill, but its documentation promotes bypassing paywalls, CAPTCHA or human checks, and regional restrictions without clear authorization limits.

Install only after reviewing the access-control language. Use this skill only for lawful, authorized research, not to bypass paywalls, CAPTCHA, anti-bot protections, or regional licensing restrictions. Do not submit secrets, personal data, or confidential business topics unless you are comfortable sending them to BrowserAct and have reviewed that provider's data-handling terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The Chinese feature list claims the skill has a built-in mechanism to avoid CAPTCHA and other verification challenges, which normal web research does not justify. That language encourages use against anti-bot protections and signals functionality or intended usage that may violate site access controls and platform policies.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The documentation explicitly promotes use on paywalled content and geographically restricted sites, framing access controls as obstacles to overcome. In a web research skill, this materially increases the risk of unauthorized acquisition of content and misuse of third-party services to evade contractual, technical, or regional restrictions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script reads BROWSERACT_API_KEY from the environment even though that credential is never used. Unnecessary credential access expands the skill's privilege surface and creates avoidable exposure if the process memory, logs, debugging output, or future code changes leak or misuse the value.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description does not clearly warn that user queries and potentially related browsing context are sent to the external BrowserAct API. Without that disclosure, users may unintentionally transmit sensitive research topics, internal project names, or other confidential data to a third party.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The text promotes bypassing restrictions but omits warnings about legal, policy, copyright, and terms-of-service implications. This can mislead users into believing such access is routine or approved, increasing the likelihood of unauthorized or noncompliant use.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: User-supplied research queries are transmitted to an external service, which can expose sensitive prompts, internal project names, or proprietary questions if users assume the search is local. In a research-assistant skill, this behavior is expected operationally, but the lack of a clear user-facing disclosure makes accidental data leakage more likely.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The script writes to a user-provided output path without warning that files may be created or overwritten. This is not arbitrary file write from attacker-controlled ambient input, but it can still cause accidental data loss or unsafe writes if a user supplies an important path by mistake.

Ssd 4

Medium

Confidence: 94% confidence
Finding: The overall narrative repeatedly presents blocked, restricted, and paywalled access as problems the skill will automatically solve. In context, this steers an agent toward unauthorized acquisition behavior and normalizes evasive use of external browsing infrastructure rather than lawful fallback behavior.

Ssd 2

Medium

Confidence: 92% confidence
Finding: Even without explicit exploit terminology, the wording semantically describes evading access controls such as geoblocking and paywalls. That makes the skill more dangerous because it embeds attack-adjacent guidance into normal research workflow documentation, lowering the barrier to misuse.

Ssd 2

High

Confidence: 96% confidence
Finding: The Chinese section explicitly promotes bypassing CAPTCHA and IP/regional restrictions, reinforcing the same evasive behavior in another language. This is especially concerning because it broadens the audience for misuse while making the policy-violating intent less visible to reviewers who only read the English text.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal