Security audit

Browser Secure

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent with secure browser automation, but it handles credentials and authenticated page content with approval and retention weaknesses that need review before installation.

Install only on a trusted, single-user machine and use a dedicated automation Chrome profile and narrowly scoped vault items. Avoid storing master passwords in .env, avoid --yes and --skip-approval for sensitive sites, disable raw HTML/full-text capture unless needed, and regularly clear ~/.browser-secure scrapbook, logs, cache, and daemon state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (31)

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The README presents the tool as a narrowly scoped, human-guided capture utility, but later documents legacy `act` and daemon capabilities that materially broaden it into general browser automation. This mismatch can cause operators or downstream agents to over-trust the tool's safety boundaries and invoke capabilities that reach beyond the claimed gated-content use case.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The security model claims approval gates at every step, but `--yes` explicitly disables those human approvals. In a security-sensitive browser automation tool, this creates a direct path to unattended access, extraction, and recording, undermining the core safeguard the README emphasizes.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The CLI exposes substantial site profiling, capture, and scrapbook/export functionality that goes well beyond the declared purpose of secure browser automation. This materially expands the skill from browser control into content collection and local knowledge-base building, increasing the risk of unauthorized data harvesting, retention of sensitive page contents, and user surprise about what the tool can do.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The init/capture workflow builds a generalized content-harvesting pipeline: it analyzes sites, detects login/search patterns, extracts sample content, and records reusable playbooks for future capture. In a tool advertised as secure browser automation, this hidden capability is dangerous because it enables scalable collection of web content, potentially including authenticated or proprietary data, under the cover of a narrower stated purpose.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The code presents a 2FA-protected approval flow and logs that verification completed, but it only validates that the input is 6-8 digits. Any attacker or misbehaving automation can supply an arbitrary numeric string and bypass the intended second-factor control for destructive actions, turning a security gate into a cosmetic check.

Context-Inappropriate Capability

Medium

Confidence: 78% confidence
Finding: The manifest explicitly supports access to high-value vault credentials including Bitwarden and 1Password tokens, while the package description understates the tool as a browser capture utility. In a browser automation skill, this materially increases risk because the skill may obtain secrets that could be abused for credential theft, lateral movement, or unauthorized secret retrieval if other controls fail.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The CLI adds substantial site profiling, content capture, and scrapbook export capabilities that go beyond the declared secure-browser-automation scope. This expands the tool into persistent web scraping and data collection, increasing risk of unauthorized capture of sensitive/authenticated content and making operator trust assumptions inaccurate.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The config command executes whatever program is named in the EDITOR environment variable via spawn. An attacker who can influence the environment can cause arbitrary local code execution when a user runs `browser-secure config --edit`, and the skill provides no validation or warning.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The code behavior contradicts the documented security model: despite comments claiming interactive mode requires an explicit flag, the function still prompts by default whenever unattended and auto-approve are not set. In a security-sensitive approval system, misleading operator expectations can cause workflows to run in contexts that were assumed to be non-interactive, leading to accidental approval gating bypass assumptions, hangs, or unsafe deployment patterns.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code claims 2FA verification is completed, but it only validates that the input is 6-8 digits and then approves the destructive action. This effectively nullifies the 2FA control, because any attacker or misbehaving caller can supply an arbitrary numeric string and obtain approval for actions explicitly marked as destructive.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: A freeform natural-language `act` command is an overly broad interface for a browser automation skill, especially when paired with sensitive authenticated browsing. Broad triggers and unconstrained instructions increase the risk of unsafe or unintended actions, including navigation, data extraction, or interactions outside the documented secure workflow.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises an auto-approved mode that can store full text and raw HTML without a strong, nearby warning about privacy, retention, and legal/compliance consequences. Because this tool targets gated and authenticated content, bulk recording without clear warning increases the chance of capturing sensitive, licensed, or personal data inadvertently.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The config command executes the program referenced by the EDITOR environment variable without validation or a user-facing warning. Because environment variables are attacker-influenced in many execution contexts, this can lead to arbitrary command execution when a user invokes the seemingly benign config editor path.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The function persistently stores page screenshots and, optionally, full HTML under the user's home directory, which can capture sensitive page contents such as account data, internal documents, tokens rendered in the DOM, or regulated information. In a browser automation skill explicitly designed for authenticated and sensitive operations, saving these artifacts without an explicit consent/check at this point materially increases the risk of local data exposure and over-collection.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The capture metadata records whether credentials were used and ties that fact to a specific URL, site, timestamp, and stored artifacts, creating a sensitive activity log. Even though it does not store the credentials themselves, this metadata can reveal authentication state and user behavior, which becomes more sensitive in a tool intended for authenticated browsing and compliance-related capture.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code automatically stores page screenshots in a persistent directory under the user's home folder, which can capture sensitive information such as authenticated sessions, account data, internal pages, or personal content. In the context of a 'browser-secure' skill intended for sensitive and authenticated browsing, silent persistent retention materially increases privacy and data exposure risk if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The logger persists potentially sensitive runtime data to a plaintext file in the user's home directory, including stack traces, session IDs, command-line arguments, URLs, and arbitrary context. In this skill's security-sensitive browser automation context, those fields can easily contain credentials, auth tokens, internal URLs, or other secrets, and the code provides no redaction, consent, or file-permission hardening for the log file itself.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manual password prompt uses a standard readline question, which echoes the password in cleartext to the terminal as the user types. In a skill explicitly designed for secure browser automation and sensitive operations, this increases the risk of shoulder-surfing, terminal logging/history capture, screen recording leakage, and inadvertent disclosure in shared or audited environments.

Missing User Warnings

Medium

Confidence: 74% confidence
Finding: The EnvironmentVault silently reads site credentials from process environment variables based solely on the requested site name, with no approval gate, disclosure, or validation of whether env-based secret access is intended. In a browser automation skill advertised as 'secure' and suitable for sensitive operations, this fallback can cause unintended credential use or broaden the attack surface if an upstream caller can influence the site parameter or process environment.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The setup flow explicitly enables auto-installation of multiple dependencies, including package-manager driven installs, without describing strong trigger constraints, trust validation, or user confirmation boundaries in this file. In a security-sensitive browser automation skill, broad installation behavior increases supply-chain and unexpected system-modification risk, especially if setup is run in privileged or developer environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The setup instructions tell the user to export a Bitwarden session token directly into the shell environment but do not warn that this token is sensitive and may be exposed through shell history, process environments, logs, or downstream commands. For a skill handling authenticated browsing and vault integration, normalizing unsafe credential handling raises the chance of credential leakage and account compromise.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The tool launches the program from EDITOR without telling the user which executable will run. In a security-sensitive skill, silent execution of an environment-controlled local program increases the chance of unintended code execution and social-engineering abuse.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: When saveHtml is enabled, the workflow writes the full DOM of the current page to a predictable local scrapbook directory under the user's home folder. In a security-focused browser automation skill that may operate on authenticated or sensitive sites, this can persist secrets, PII, tokens, and internal content to disk without any enforcement in this function of consent, redaction, encryption, or sensitivity checks.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The function always saves a screenshot of the page to disk, which may capture account data, private documents, session-specific information, or other sensitive visual content. Because this skill is explicitly designed for authenticated browsing and sensitive operations, unconditional screenshot persistence materially increases the risk of local data exposure and unintended retention.

Missing User Warnings

High

Confidence: 78% confidence
Finding: This function stores captured page content, excerpts, full text, URLs, referrers, selectors, screenshots, and approval metadata to persistent local files. In the context of a 'browser-secure' skill intended for authenticated and sensitive browsing, that creates a meaningful confidentiality risk because sensitive corporate, personal, or regulated content may be retained on disk longer than expected and later exposed through local compromise, backups, or shared workstation access.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: dist/browser/daemon.js:150

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: dist/browser/secure-session.js:40

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: dist/cli.js:317

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: dist/vault/discovery.js:35

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: dist/vault/index.js:12

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: scripts/onboarding.js:40

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/browser/daemon.ts:193

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/browser/secure-session.ts:66

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/cli.ts:372

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/vault/discovery.ts:71

Shell command execution detected (child_process).

Critical

Code: suspicious.dangerous_exec
Location: src/vault/index.ts:30

Dynamic code execution detected.

Critical

Code: suspicious.dynamic_code_execution
Location: dist/browser/secure-session.js:632

Dynamic code execution detected.

Critical

Code: suspicious.dynamic_code_execution
Location: src/browser/secure-session.ts:747

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: dist/research/site-profiler.js:29

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: dist/vault/discovery.js:229

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: dist/vault/index.js:47

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: src/research/site-profiler.ts:55

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: src/vault/discovery.ts:308

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: src/vault/index.ts:66