Brave Loggedin Tag Browsing

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it uses a real logged-in browser session/profile with broad browser-control authority and limited containment.

Install only after review. Use a dedicated Brave/Chrome profile and a non-sensitive social account, avoid attaching it to your normal browser session, and treat returned social posts as untrusted content. This is not evidence of malware, but it should not be installed casually because it can act through and report details from a logged-in browser context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code launches a persistent browser context using the user's real Chrome/Brave profile directory, which exposes all cookies, active logins, and broader browsing session state to the skill. That exceeds the narrow task of reading social-media pages and creates a data-access boundary issue: if the skill is modified or abused, it could access unrelated authenticated sites and sensitive profile data.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill will attach over CDP to whatever browser is listening on localhost:18800 and then reuse its first context/page, effectively inheriting that browser's authenticated state and open-session access. This is more powerful than needed for viewing social-media posts and can expose unrelated tabs, accounts, and browsing data if a personal browser is attached.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill launches a persistent browser context using a real local profile directory, which grants access to whatever authenticated state, cookies, saved sessions, and potentially other browsing artifacts already exist in that profile. In the context of an agent skill, this exceeds simple public-page scraping and enables broad interaction with a user's logged-in browser identity across sites, creating significant risk of unauthorized access or data exposure.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Connecting over CDP to an already running browser lets the skill attach to and control an existing interactive session, including tabs and authenticated contexts unrelated to the stated purpose. That capability is broader than browsing a target profile page and can expose sensitive data or permit unintended actions in the user's live browser environment.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The README advertises a natural-language trigger that is broad enough to match ordinary user requests such as asking to 'look at' someone's latest statements. In an agent environment, this can cause unintended invocation of a skill that opens a logged-in browser session and accesses social-media content, creating authorization and privacy risks beyond the user's likely expectation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README emphasizes use of an already logged-in Brave session and extraction of the logged-in account name, but the warning text does not clearly explain the privacy implications of exposing authenticated session context. In practice, this can reveal account identity and allow the skill to operate with that account's access, which is sensitive in an agentic system.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough that normal requests like checking social media or viewing posts could invoke a skill that operates a logged-in browser session against privacy-sensitive accounts. In this context, accidental invocation is more dangerous than usual because the skill can access authenticated content and extract profile/post data from X/Facebook without an explicit, narrowly scoped consent prompt.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly uses an already logged-in Brave session to browse X/Twitter and Facebook and extract posts, profile data, and engagement stats, but it does not present a clear privacy or consent warning. Because authenticated sessions can expose non-public or account-linked information, the absence of an up-front warning materially increases the risk of unauthorized data access, user surprise, and privacy violations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code launches or attaches to a persistent browser context using an existing local profile directory, which can reuse authenticated cookies, saved sessions, and other sensitive browser state without any user disclosure or consent check. In this skill’s context, that is especially dangerous because it is explicitly designed to browse social platforms while logged in, enabling access to private account context and potentially exposing data from the operator’s real browser session.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill actively inspects page elements to determine whether the browser is logged in and returns account-identifying status information to the caller. This leaks session/account state from the active browser context without clear disclosure, which is particularly sensitive here because the skill is intended to operate against X/Twitter and Facebook in an authenticated session.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The automation reads login status and profile information from a persistent personal browser session without any visible consent, warning, or disclosure in the code path. Even if intended for convenience, silently accessing authenticated state and profile metadata can surprise users and leak personal information beyond expected skill behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The automation reuses a persistent logged-in browser profile without any warning, consent prompt, or clear indication that authenticated sessions will be used. This undermines user expectations and can cause the skill to access private or account-scoped content under the user's identity without meaningful confirmation.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill is explicitly designed to operate in a logged-in Brave session against X/Twitter and Facebook and even exposes the browser's current login status. That creates a real privacy and account-context risk because users may unknowingly grant the skill access to authenticated views, private feed data, or account-linked metadata without prominent warning or consent boundaries.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "author": "Shuttle AI", "license": "CC BY-NC 4.0", "dependencies": { "playwright": "^1.58.2" }, "devDependencies": { "@types/node": "^25.5.0",
Confidence: 91% confidence
Finding: "playwright": "^1.58.2"

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal