Camofox Browser

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed browser automation tool, but it needs Review because it auto-starts a powerful local browser server with raw page scripting, cookie import, and broad session controls that are not tightly scoped.

Install only if you intentionally want an anti-detection browser automation service. Disable auto-start unless needed, bind or firewall the server to trusted local access, set CAMOFOX_API_KEY before using cookies, import only cookies you are comfortable giving to an automated browser, and require explicit confirmation before actions on logged-in accounts, purchases, account settings, posting, or session deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documentation explicitly describes how to structure code to avoid triggering a security scanner, focusing on separating risky primitives across files rather than reducing the underlying risk. This can enable concealment of credential access, subprocess use, or network-capable behavior from automated review, which materially weakens defense-in-depth even if the text is framed as compliance guidance.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The documentation explicitly describes how to restructure code to avoid static scanner rules rather than how to reduce underlying security risk. That is a strong indicator of deliberate scanner-evasion guidance: sensitive behaviors such as environment-variable access, subprocess execution, and network-capable route handling may still exist across modules, but are intentionally separated so automated review misses the combined behavior.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The comment explicitly states that environment-variable access was centralized to avoid scanner detections in files that also perform network activity. That is a scanner-evasion rationale, which is dangerous because it normalizes hiding sensitive-input handling from security review and can mask later credential harvesting or secret exfiltration paths across files.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The plugin deliberately exposes an unrestricted page-context JavaScript execution primitive via `camofox_evaluate`. In an agent-tooling context, this significantly expands capability beyond basic browsing into arbitrary script injection, DOM exfiltration, and invoking in-page authenticated APIs, which can be abused to steal data or perform sensitive actions as the logged-in user.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The /tabs/:tabId/evaluate endpoint accepts arbitrary JavaScript from the client and executes it in the browser page context without any apparent authorization or sandbox policy beyond the page itself. In a browser automation service that can maintain authenticated sessions, this lets a caller run arbitrary script against whatever site is loaded, enabling data exfiltration from DOM state, CSRF-like action chaining within the page, and abuse of imported cookies or authenticated browser contexts.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The guide exposes powerful browser automation operations that can navigate arbitrary sites, manipulate page elements, preserve cookies/storage by user session, and delete session data, but it provides no warnings or constraints around privacy, consent, sensitive-site access, or data handling. In an agent skill context, this increases the likelihood of unsafe use such as interacting with logged-in accounts, submitting forms, or collecting browsing content without adequate safeguards.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: This skill automates live browser actions against external sites, but the quick-start/workflow text does not warn that actions may affect authenticated sessions, submit forms, trigger purchases, modify account data, or interact with real-world services. In an agent context, lack of explicit warnings and consent boundaries increases the chance of unsafe autonomous use.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation exposes a destructive endpoint to delete all user session data without any surrounding warning, confirmation guidance, or mention of authorization expectations. In agent-driven workflows, such an omission can lead to accidental or unauthorized loss of cookies, storage, and conversation/task state.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code fetches arbitrary image URLs from the browser context using `credentials: 'include'`, which causes cookies and other ambient credentials for the target origin to be sent automatically. If the page contains attacker-controlled or sensitive internal image URLs, enabling `includeData` can turn this helper into a credentialed content exfiltration primitive by retrieving authenticated resources and returning their contents as data URLs to the caller.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The manifest explicitly markets the plugin as "anti-detection browser automation" and enables auto-start by default, but provides no warning, consent mechanism, or guardrails around privacy, evasion, or system-resource impact. In an agent skill context, this increases the risk of covert browsing automation, fingerprint-evasion misuse, and background service execution without administrators fully understanding the implications.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The plugin auto-starts and manages a local browser server on load with no explicit user approval at the moment of action. In a plugin ecosystem, side effects during registration increase risk because merely enabling the skill causes process creation and network service exposure, which can surprise operators and enlarge attack surface.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The cookie import path reads authentication cookies from disk and transmits them to the browser server, enabling session takeover within the automated browser. Because this is a browser automation skill explicitly intended to bypass login friction on sites like LinkedIn, the context makes misuse more dangerous: imported cookies may grant access to highly sensitive authenticated accounts without interactive consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal