Back to skill

Security audit

ChatGPT Web Skill

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it advertises, but it can duplicate sensitive ChatGPT login profile data outside the documented skill folder.

Install only if you are comfortable letting this skill control a logged-in ChatGPT Web session. Treat data/browser_state and any temporary chatgpt-profile directories as account-access secrets, avoid sending private credentials or sensitive business data in prompts, and clean up screenshots, sessions, and temporary profile copies after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("📦 Installing dependencies...")
            try:
                subprocess.run([str(self.venv_pip), "install", "--upgrade", "pip"], check=True)
                subprocess.run([str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True)
                print("🌐 Installing Google Chrome for Patchright...")
                try:
                    subprocess.run([str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True)
Confidence
87% confidence
Finding
subprocess.run([str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run([str(self.venv_pip), "install", "-r", str(self.requirements_file)], check=True)
                print("🌐 Installing Google Chrome for Patchright...")
                try:
                    subprocess.run([str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True)
                except subprocess.CalledProcessError as error:
                    print(f"⚠️ Warning: failed to install Chrome automatically: {error}")
                    print("   Run manually if needed: python -m patchright install chrome")
Confidence
80% confidence
Finding
subprocess.run([str(self.venv_python), "-m", "patchright", "install", "chrome"], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly performs shell execution, network access, environment-variable use, and persistent file read/write, yet it declares no permissions. That mismatch is a real security issue because users and policy engines cannot accurately assess or constrain what the skill will do before execution. In this context, the skill also automates a logged-in browser session and stores auth/browser state locally, which increases sensitivity compared with a low-risk read-only skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.