Chrome Extension Installer

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly straightforward, but it includes a high-impact Chrome force-install method that can silently and persistently install extensions through managed policy.

Before installing, prefer the Chrome Web Store method where Chrome shows the extension and permissions. Only use the force-install policy if you intentionally want managed, persistent installation and trust the exact extension ID; record how to remove the policy entry afterward.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly documents a silent force-install path that modifies Chrome's managed policy so an extension is installed without the user's approval. Because browser extensions can access page content, cookies, and browsing activity depending on permissions, providing a turnkey persistence mechanism via system policy materially increases the chance of unauthorized surveillance or browser compromise.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal