Back to skill

Security audit

Patchright Skill

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is useful for testing, but it also enables broad web control, raw page scripting, screenshots, and a persistent local controller beyond its local-testing framing.

Install only if you need powerful browser automation for sites you own or are authorized to test. Avoid real credentials and production accounts, do not use it to bypass third-party anti-bot protections, pin and review the Patchright dependency, keep screenshots in a controlled location, and stop the background server after each session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs use of browser automation that inherently performs network access, writes screenshots to disk, and likely reads local files/configuration, yet it declares no permissions or user-facing constraints. This is dangerous because consumers and calling systems cannot accurately reason about the skill's capability to access private network resources and persist potentially sensitive artifacts locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose emphasizes localhost/dev testing, but the analyzed behavior reportedly includes broader public-web automation, arbitrary JavaScript execution in the current page, and a persistent local command server. That mismatch is dangerous because reviewers may approve or invoke the skill under a narrower trust model than the implementation actually requires, enabling abuse for stealthier browsing, data extraction, or command relaying.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference materially expands the skill from private/local QA automation into public internet search automation against Google, which broadens both data exposure and operational scope beyond the declared purpose. That scope drift increases the chance the skill is used for external browsing, scraping, or policy-evasive automation without corresponding guardrails, making misuse easier in practice.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Documenting an `evaluate` tool that executes arbitrary JavaScript on any loaded page creates a powerful primitive that exceeds ordinary QA actions like clicking, typing, and reading text. In the context of a browser automation skill with bot-detection bypass, this can be used to extract sensitive DOM data, manipulate application state, trigger unintended actions, or automate cross-site interactions on internal and external targets.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The navigate capability accepts any URL and does not enforce the skill's stated localhost/private-network scope. In an agent context, this can be used for unintended outbound browsing, including access to attacker-controlled sites, enabling data exfiltration, prompt-injection delivery through rendered content, or use of the host as a network pivot.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module documentation claims a constrained localhost/private IP use case, but the implementation provides general-purpose browser automation with stealth features and no matching technical restrictions. This mismatch is dangerous because operators may trust the documented scope while the code can silently perform broader web access than expected.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This utility is explicitly designed for debugging Google Search pages, which is outside the skill's declared scope of local web applications and private-network/dev-server automation. Scope expansion to public websites increases the chance the skill can be used to collect or inspect external content in ways users may not expect, especially given the broader browser automation and bot-bypass context.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script retrieves the active page URL and title and persists a screenshot to disk, creating a direct data-exposure path for whatever page is open. In a skill advertised for local/private testing, this broader capture capability is risky because it can disclose browsing context or sensitive page contents outside the intended environment.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script adds a capability to browse the public internet and query Google, which exceeds the stated scope of a skill intended for localhost, dev servers, and private-network UI automation. Scope expansion is security-relevant because it enables outbound web access and data retrieval paths that users and policy controls may not expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automated extraction of Google search results is an unjustified scraping capability relative to the skill's declared QA/debugging purpose for local applications. In context, this makes the skill more dangerous because a browser automation component with bot-evasion characteristics can be repurposed for external reconnaissance, scraping, or policy-evading collection beyond local testing needs.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The navigate tool accepts any caller-supplied URL and does not restrict destinations to localhost, private-network ranges, or an explicit allowlist. In a skill marketed for local/private QA automation, this broadens capability into unrestricted web browsing, which can be abused for unintended internet access, data interaction, or reaching sensitive internal endpoints if invoked by another component.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The evaluate tool exposes arbitrary JavaScript execution in the active page context, which is significantly more powerful than ordinary UI automation. This can be used to read/modify page state, extract secrets from DOM or storage, trigger privileged actions in authenticated sessions, and bypass intended interaction boundaries.

Vague Triggers

Medium
Confidence
89% confidence
Finding
These activation triggers are broad enough to match common benign requests such as checking a site or opening localhost, increasing the chance the skill is invoked without the user understanding that a high-capability browser automation tool with persistence may run. In this context, accidental activation is more dangerous because the skill can access local/private services and create files.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Generic interaction phrases like 'click', 'type', and 'login' are common in normal conversation and do not safely distinguish when the user intends to launch a browser automation skill. Because this skill supports credential entry and private-network interaction, an overbroad trigger surface can lead to unintended handling of sensitive workflows.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Vague visual verification triggers like 'how does it look?' or 'is it working?' can map to many ordinary requests and may silently activate screenshotting or browser sessions. In a skill that saves screenshots locally and targets private/local services, such ambiguity raises privacy and unintended-data-capture risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage examples instruct taking screenshots and saving them to named files, but the description does not prominently warn that page contents will be persisted to local storage. This is dangerous because screenshots of internal apps, dashboards, or localhost pages may capture secrets, personal data, or unreleased product information without adequate user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes examples for typing email/password credentials into pages but omits a privacy warning about handling, exposing, and potentially persisting secrets during automation. This is especially risky in a persistent browser/server model because credentials can end up in logs, shell history, screenshots, browser state, or session storage.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Arbitrary navigation causes outbound network requests without any explicit warning, consent gate, or audit signal to the user. In an agent skill, this increases the risk of silent external communication, exposure of internal network metadata, and interaction with malicious web content outside the user's expectations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The screenshot tool writes files to an arbitrary caller-supplied path without an explicit warning that local files will be created. This can lead to unexpected filesystem modification, overwriting of user files if paths collide, and persistence of potentially sensitive page captures on disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script extracts and returns a substring of document.body.innerHTML, which may contain sensitive visible or hidden page data such as tokens, personal information, or internal application state. Exposing raw HTML for debugging without warning, minimization, or scope checks creates an unnecessary content exfiltration primitive.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Writing a screenshot to /tmp captures the rendered page and persists potentially sensitive information to local storage where it may be accessed later by other processes or users, depending on system configuration. This is especially concerning in a debugging tool because screenshots can silently include credentials, personal data, or non-local browsing content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The screenshot function writes to an arbitrary caller-controlled filesystem path after converting it to an absolute path, with no restriction to a safe output directory. This can overwrite or create files in unintended locations and silently persist captured page contents, which may include sensitive information from local or private web apps.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.