Security audit

Super Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This skill is a browser automation guide with expected but sensitive cookie and session-state features that users should handle carefully.

Install only if you trust the agent-browser CLI source and need browser automation. Treat saved auth state files, cookies, and localStorage values like passwords: keep them out of repositories and logs, use least-privilege test accounts where possible, and avoid loading real authenticated sessions unless the task requires it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly documents saving and loading browser auth state and exposing cookies/localStorage, but provides no warning that these artifacts may contain session tokens, persistent credentials, or other sensitive data. In an agent context, this increases the risk of accidental credential reuse, unsafe storage, or exfiltration of authenticated session material through logs, files, or follow-on tool actions.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.