Back to skill

Security audit

Web-search(Bing-CN)

Security checks across malware telemetry and agentic risk

Overview

The skill’s browser automation and session features fit its stated purpose, but users should be careful with real accounts and saved browser state.

Install only if you want an agent to drive a browser for testing or debugging. Avoid entering sensitive real credentials unless you trust the site and the workflow, do not save or commit auth state files, and be cautious when using persistent profiles or attaching to an existing browser session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly opens the host browser so the user can log into third-party sites, but it does not warn that this may expose the user to external websites, credential entry risks, tracking, or unintended navigation outside the agent-controlled environment. In this context, the omission matters because the skill is designed to bridge from automated browsing into a real user browser session, which increases privacy and phishing risk if users are not clearly informed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.