auto-fill

Security checks across malware telemetry and agentic risk

Overview

This form-filling skill is not clearly malicious, but it gives the agent broad browser-control setup authority and weakens user control over where data is entered.

Review before installing. Use it only with a separate Chrome profile and pages you trust, confirm the exact destination URL before any filling, avoid sensitive forms unless you are watching closely, pin the MCP package version, and close the debug Chrome process when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill materially expands beyond its declared purpose of reading form structure and autofilling fields by instructing the agent to launch Chrome via shell and to autonomously infer and navigate to destinations. This increases privilege and action scope from in-browser assistance to local process control and unsolicited navigation, which can expose session data or cause the agent to interact with unintended sites.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Launching a local Chrome process through shell is not necessary for a form-filling skill and grants the agent host-level execution capability unrelated to field detection or input. Even if intended for convenience, this broadens the attack surface and can be abused to start a persistent browser tied to local profiles or authenticated sessions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill tells the agent to start Chrome in the background without explicit user-facing warning or confirmation. Silent background process creation is especially risky here because Chrome is started with remote debugging enabled, which can expose browsing context, cookies, and authenticated pages to automation without the user clearly consenting at execution time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal