Playwright Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed stealth web scraper, but it also contains unsafe browser-session reuse and shell execution risks that need review before installation.

Review before installing. Use only in an isolated browser/profile, do not attach it to your normal logged-in Chrome session, and fix or remove the execSync-based tool entry point. Remove the bundled Goofish search scripts if you only need a general scraper, and avoid using the skill to bypass access controls, scrape against site rules, or search for cheating/fraud services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (16)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script hard-codes a DevTools WebSocket URL and attaches to an already running Chrome instance, inheriting that browser's active profile, cookies, and authenticated sessions. This can let the skill operate inside a user's existing browsing context and access or manipulate live account data far beyond isolated scraping, which is especially risky for a scraping skill explicitly designed to bypass anti-bot protections.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script attaches to an already-running Chrome DevTools session via a fixed local CDP WebSocket instead of launching an isolated browser instance. This can grant the skill access to the user's existing browser context, including authenticated tabs, cookies, storage, and open pages, which materially increases the risk of privacy compromise or unintended interaction with unrelated sessions.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The tool passes user-controlled input directly into a shell command via execSync, which creates a command injection path if the URL contains shell metacharacters or quote-breaking payloads. In this context, the subprocess is not merely an implementation detail for scraping; it materially expands the attack surface from web access to arbitrary local command execution on the host running the skill.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The script connects to a pre-existing local Chrome DevTools Protocol endpoint and enumerates existing browser contexts/pages, which can expose unrelated authenticated sessions, cookies, open tabs, and page content. In a skill context, this grants access broader than necessary for simple scraping and could be abused to inspect or act within the user's already-open browser state.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file does not implement a general-purpose scraping capability as described; instead it performs hard-coded searches for specific terms, including terms associated with academic work and paid writing. In the context of a Playwright skill explicitly designed to bypass anti-bot protections, this mismatch is suspicious because it narrows the tool toward potentially abusive content discovery rather than a reusable automation utility.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Searching for the explicit ghostwriting-related term "python代写" is a strong indicator that the skill can be used to locate services facilitating academic or professional fraud. Combined with stealthy browser configuration and anti-detection measures, this increases the likelihood that the code is meant to help evade platform controls while discovering illicit marketplaces or service listings.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code connects to an already-running Chrome instance over a hard-coded local DevTools websocket, which can grant access to existing browser contexts, pages, cookies, session state, and authenticated content unrelated to the stated task. In a skill context, this is dangerous because it can silently piggyback on a user's live browser session and access sensitive data beyond the Goofish scraping workflow.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script attaches to an already-running Chrome instance over a hardcoded CDP WebSocket endpoint and enumerates open tabs, titles, URLs, and page contents without any user consent, scoping, or access control. That exposes potentially sensitive data from the user's live browsing session and can interact with authenticated pages, making it a real privacy and session-compromise risk rather than a harmless local automation task.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The automation silently connects to a live browser session and immediately navigates to an external site without any warning, prompt, or confirmation. In the context of a stealth scraping skill, this means the code can drive a user's existing authenticated browser against a real service, causing unintended requests, account actions, tracking exposure, or collection of sensitive page content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code silently connects to a local browser debugging endpoint and navigates to external websites without any disclosure, consent flow, or visible boundary between the user's browser activity and the automation task. In the context of a scraping skill, this is more dangerous because it may operate within an authenticated, user-owned browsing session and expose user data or trigger unintended actions on third-party sites.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill attaches to an already-running browser via a local CDP WebSocket and inspects existing pages, which can expose browsing state, authenticated sessions, and page contents without explicit user consent. In this context, the risk is heightened because the code reuses an existing browser context and searches for matching tabs before opening its own page, enabling unintended access to unrelated user data in the same session.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script attaches to an already-running Chromium instance over a local DevTools WebSocket and then enumerates existing pages, reusing a tab if its URL contains 'goofish'. This can let the skill operate inside a user's live browser context, inheriting cookies, session state, and open tabs without any consent prompt or isolation, which makes unintended access to authenticated content and interference with user browsing plausible.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The script automatically navigates the connected browser context to an external site, which generates network traffic and may expose the user's IP address, browser fingerprint, cookies, and logged-in state if the reused page/session is authenticated. In this skill context, the goal is anti-bot evasion scraping, which increases concern because it is designed to act covertly and can silently use a real user's browser identity.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The dependency set explicitly includes anti-detection tooling such as `playwright-extra`, `puppeteer-extra`, and `puppeteer-extra-plugin-stealth`, and the skill description states it is used to bypass anti-scraping protections. While this is not a software memory-safety flaw, it is a security-relevant capability that enables covert automation, reduces transparency to target services, and can facilitate abuse of protected web resources or policy circumvention. In this context, the stated purpose makes the finding more dangerous, not less.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code silently attaches to an existing browser session and performs navigation to external sites without any user-facing disclosure or confirmation. In this skill context, undisclosed browser automation increases the risk of unexpected network activity, interaction with authenticated state, and collection of marketplace data from a session the user did not intend to share.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script performs remote navigation and extracts full page text from a live site without any notice, consent, or explanation of what data will be retrieved. Because it is attached to an existing browser session, the extraction may include user-specific or authenticated content, making silent collection more risky in this skill context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal