Back to skill

Security audit

Browser Use Agent

Security checks across malware telemetry and agentic risk

Overview

This skill needs Review because its browser-automation label conflicts with authoritative finance/ZVT instructions while also advertising high-impact browser actions like checkout, login, uploads, and persistent profiles.

Review carefully before installing. Do not give this skill credentials, payment access, persistent browser profiles, or permission to submit forms until the publisher provides a single coherent purpose, scoped triggers, explicit domain limits, final approval gates for purchases/uploads/submissions/account changes, and clear retention rules for logs and generated skill files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human summary is materially inconsistent with the declared skill purpose: the manifest says this is a browser-automation library, while the summary describes a finance/ZVT quant-trading assistant and also unrelated browser tasks. This kind of capability and identity mismatch is dangerous because it can misroute the agent, bypass intended safety boundaries, and cause users or orchestration systems to invoke actions under false assumptions about what the skill is supposed to do.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The inline documentation advertises finance-specific strategy generation, data collection, trading pipelines, and parameter defaults that are inconsistent with the stated browser-use agent intent. In a skill ecosystem, such misleading instructions can steer downstream agents into performing unintended high-risk financial tasks or fabricating unsupported behavior, increasing the chance of unsafe automation and unauthorized decision-making.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The seed manifest is fundamentally misaligned with the advertised skill: metadata says browser automation, while the body specifies finance/ZVT backtesting behavior plus unrelated browser workflows. This kind of capability confusion can cause the host or user to invoke the skill under false assumptions, leading to execution of unexpected code paths, broader permissions, and unsafe automation outside the declared scope.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The user-facing summary claims A-share quant-strategy assistance, but the same file advertises job applications, grocery checkout, visa monitoring, and social-profile search. This mismatch increases the chance of deceptive or accidental activation, because users and reviewers cannot reliably infer what the skill will actually do from the summary presented to them.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The manifest grants broad browser-automation actions far beyond the stated finance purpose, including credential-backed login, checkout flows, CAPTCHA handling, and daemon/browser control. Broad undeclared capabilities are dangerous because they enlarge the attack surface and can trigger sensitive operations on websites without users understanding that the skill includes those powers.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is very broad, covering generic web automation tasks like form filling, scraping, testing, and cross-site data collection without clear trigger boundaries, approval requirements, or domain restrictions. In a skill that turns an LLM into a browser operator and can execute actions via CDP, vague activation criteria can cause overuse in sensitive contexts, including unintended access, data collection, or destructive actions on live sites.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The summary claims the skill can monitor visa appointments, complete grocery checkout with TWINT, and auto-fill job applications including resume upload, but provides no explicit warning, consent gating, or account/payment safeguards. These are high-consequence browser actions involving personal data, external accounts, and possible financial charges, so presenting them casually increases the risk of unauthorized transactions, privacy violations, and irreversible submissions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Using a trigger like "apply" is too broad and can match many ordinary requests, causing accidental invocation of an automation skill. In a skill that includes form-filling and execution behavior, ambiguous activation can lead to unintended browsing or actions being taken under the wrong workflow.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Triggers such as "shopping," "cart," and "checkout" are generic and likely to collide with benign user conversation. Because this skill includes end-of-flow purchase automation, accidental routing could escalate from misunderstanding into real-world transactional actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Single-word triggers like "visa," "appointment," and "monitor" are too generic for reliable routing and may capture unrelated requests. In an automation context, this can cause unintended recurring polling or interaction with sensitive government portals.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger term "login" is extremely broad and can overlap with many unrelated user intents. Since this skill supports vault-backed credential flows, accidental activation around authentication tasks is especially risky and may prompt handling of secrets in the wrong context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Generic triggers like "download," "file," and "save" are underspecified and prone to false matches. When mapped to browser automation and filesystem actions, accidental invocation can cause unintended downloads, writes, or data handling.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Phrases like "system prompt," "customize," and "override" are broad and can be triggered in ordinary discussion about prompting or model behavior. In this manifest, they route into prompt-modification behavior that can weaken safety controls if invoked unintentionally.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Reusing the trigger phrase "structured output" across multiple use cases creates ambiguous activation and inconsistent behavior selection. In an execution-oriented skill, ambiguous routing can select the wrong pipeline, schema, or action sequence and produce unsafe or misleading results.

Missing User Warnings

High
Confidence
95% confidence
Finding
The manifest advertises destructive or sensitive operations such as checkout, login, resume upload, and browser control without a prominent warning at the trigger/description level. Users may invoke the skill without appreciating that it can authenticate, submit forms, or complete transactions, increasing the risk of unauthorized or unintended actions.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instruction to log popup text into memory can retain sensitive dialog contents such as filenames, account names, destructive confirmations, or personal data. Storing such text in natural-language memory increases exposure to later prompts, logs, or cross-task leakage.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.