Agent Browser

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is mostly coherent, but it deserves Review because it combines broad browser/account control with proxy-evasion guidance and under-scoped handling of saved sessions and recordings.

Install only if you trust the separate `agent-browser` executable and need broad browser automation. Use test or least-privilege accounts, avoid proxy rotation to bypass site rules, do not commit or share saved state/recording/screenshot files, and store credentials and proxy secrets through protected environment or secret-management mechanisms rather than literal command examples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documentation explicitly frames proxy support as useful for rate limiting avoidance and includes a 'Rotating Proxies for Scraping' example to avoid bans. In a browser automation skill, that guidance goes beyond neutral configuration help and facilitates evasive behavior against third-party service controls, which can be abused for scraping or policy circumvention.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill includes explicit examples of entering credentials and saving authenticated browser state to a file without any warning about secret handling, file protection, or replay risk. In a browser automation tool, persisted auth state can contain cookies or tokens that grant account access if the file is exposed, reused improperly, or committed to logs/repos.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The recording feature documents that it preserves cookies/storage from the current session but does not warn that videos may capture sensitive page contents, tokens, personal data, or authenticated workflows. This creates a realistic risk of accidental disclosure through saved recordings or shared artifacts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example saves and later restores authenticated browser state, which typically contains session cookies or tokens that grant account access. Although the document includes general best practices later, there is no inline warning at the point of use, so users may copy the example without understanding that the file is a sensitive secret and should be protected like credentials.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Saving browser state after an OAuth/SSO flow is especially sensitive because it may capture live federated session tokens tied to a primary identity provider account. Without a nearby warning, users may persist or share this file unsafely, enabling account takeover of both the application and possibly broader SSO-backed access.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The HTTP Basic Auth example passes credentials directly on the command line, which can expose them through shell history, process listings, audit logs, or CI job output. Users copying this pattern may unintentionally disclose reusable credentials to other local users or logging systems.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The cookie-based authentication example sets a session token directly without warning that the token itself is equivalent to authenticated access. Users may treat the value as a harmless example and expose it in scripts, logs, screenshots, or source control, leading to session hijacking.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The examples embed proxy usernames and passwords directly in environment variable URLs, which normalizes insecure credential handling without warning about exposure through shell history, process listings, logs, screenshots, or shared terminal sessions. Because this skill automates browser workflows, users may copy these patterns into scripts and CI environments, increasing the chance of secret leakage.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation promotes recording browser sessions, screenshots, and CI artifacts without warning that these captures can include credentials, session tokens, personal data, or other sensitive page content. In a browser automation skill, this omission is especially risky because the examples explicitly record login flows and form filling, increasing the likelihood that secrets and regulated data are stored in video artifacts and shared beyond their intended scope.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The script writes a screenshot of the post-submission page to /tmp/form-result.png, which may contain sensitive information such as personal data, confirmation numbers, or account details. Persisting that image to local disk without warning, access controls, or cleanup can expose data to other local users, later processes, or forensic recovery depending on system configuration.

Session Persistence

Medium

Category: Rogue Agent
Content: ### Load Session State ```bash # Restore saved state agent-browser state load /path/to/auth-state.json # Continue with authenticated session
Confidence: 91% confidence
Finding: Restore saved state

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal