m44 internal testing

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform its stated browser-extension setup, but it uses persistent browser policy changes and email magic-link login handling that are broader and more sensitive than a simple CRX install.

Review this before installing if you are not comfortable with system-level browser configuration. Confirm exactly which browser policy files it writes, how to remove them, whether it can force-install extensions, and how it will handle magic-link email access. VirusTotal was clean and the behavior does not show clear malicious intent, but the persistence and account-token handling warrant a careful review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill directs use of shell scripts that can install software, modify browser profiles, and write files, yet it declares no permissions. That mismatch prevents meaningful user consent and weakens sandboxing or policy enforcement, especially because the flow includes browser installation, extension deployment, and account-login steps.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims a CRX-only install flow, but the referenced behavior also writes managed browser policy files and may enable Chrome Web Store sources or force-installation paths. That is more privileged and persistent than described, and writing browser policies under system locations can silently alter enterprise-style browser behavior beyond the stated task.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script installs managed browser policies that explicitly permit extension installation from Chrome Web Store domains and can optionally force-install an extension by ID via Google's update service. That directly conflicts with the skill's stated CRX-only, deterministic installation model and broadens the trust boundary from a pinned local artifact to remote storefront/update infrastructure, enabling unintended extension installation paths or silent installation of the wrong extension if inputs or surrounding workflow are compromised.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The comments document a behavior that allows Chrome Web Store installation, which contradicts the skill metadata's promise to install via CRX only and never use the Web Store UI. In security-sensitive automation, this kind of mismatch is dangerous because operators may trust the safer documented intent while the code enables a broader and less controlled installation mechanism.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to access a mailbox, retrieve a magic-link email, and open the authentication URL without any explicit privacy notice, consent boundary, or account-handling safeguards. Magic links are equivalent to account access tokens, so automated retrieval and opening can expose or misuse the user's email-backed authentication flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal