Security audit

Browser Demo Recorder

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it gives recording plans broad control over an active browser and can save sensitive browsing details to disk.

Review generated plans before running them. Use this skill on public or throwaway demo pages, avoid evaluate steps unless you trust the code, do not type secrets during recordings, prefer a clean browser profile, keep outputDir under the workspace media directory, and delete debug JSON files when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code deliberately redefines `navigator.webdriver` to hide that the browser is being automated. That is a stealth/evasion technique that can bypass bot-detection or site policy controls, and it is not necessary for basic browser demo recording. In the context of a recording skill, this increases risk because the helper can be used to access or interact with sites under false pretenses while appearing more human-like.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The `evaluate` step executes plan-supplied JavaScript via `new Function(...)` inside the browser context with no allowlist or capability restriction. Because the plan is external input, this turns a recording skill into a general-purpose script runner against whatever pages and authenticated sessions are open, enabling DOM manipulation, data extraction, or unintended actions beyond demo recording.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: `buildPaths` resolves `plan.meta.outputDir` directly and writes output there, rather than constraining writes to the workspace `media/` directory described by the skill. An attacker-controlled plan can redirect video and debug artifacts to arbitrary filesystem locations writable by the process, causing data exposure, overwrites, or policy bypass.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The manifest description uses very broad invocation language such as generic browser walkthrough, product demo, site recording, and packaging requests, which can cause the skill to be selected for loosely related user prompts. Over-broad routing increases the chance of unintended browser automation and file creation in the workspace when the user did not clearly request this specific capability.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly writes MP4 and debug JSON artifacts into the workspace `media/` directory without requiring a user-facing warning or confirmation about filesystem side effects. This can create unexpected persistent artifacts, potentially storing sensitive page contents, typed data, or browsing traces in files the user did not realize would be saved.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The interaction log records step details including typed text and resolved targets, which can capture secrets, search terms, URLs, and page-specific metadata to disk. In a browser-recording skill, this is especially sensitive because flows may involve authenticated sessions or user-provided credentials, and the logging occurs automatically without minimization in this file.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: On success and error paths, the code writes debug JSON containing browsing metadata, step history, final/current URLs, and error details to disk. In this skill context, those artifacts may reveal private browsing activity, internal URLs, and user-entered content, making the logging materially more dangerous than generic diagnostics.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal