Security audit

Dexter Browser Automation

Security checks across malware telemetry and agentic risk

Overview

This browser automation skill is mostly purpose-aligned, but it includes broad live-browser powers and anti-bot guidance without enough disclosure or guardrails.

Install only if you need powerful Playwright-based browser automation and can supervise its use. Avoid passing real passwords on command lines, use it only on sites and accounts you are authorized to access, review any JavaScript before running cdp.py eval, and restrict screenshots or downloads to safe temporary/workspace paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly instructs users to run shell commands (`python3 ...`) and install Playwright, but it does not declare corresponding permissions. Undeclared shell capability weakens policy enforcement and review because operators may underestimate that the skill can launch local scripts with browser and filesystem side effects.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 82% confidence
Finding: The documented behavior is narrower than the reported implemented capabilities, including arbitrary JavaScript evaluation and additional state-changing interactions. When a skill advertises itself as limited browser automation but can execute arbitrary page-context code, reviewers and downstream agents may grant it more trust than warranted, enabling data exfiltration, unsafe actions in authenticated sessions, or bypass of intended tool boundaries.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation includes explicit anti-bot evasion techniques such as disabling automation indicators, overriding the user agent, and masking navigator.webdriver. In a general browser-automation skill, these patterns go beyond ordinary rendering or interaction needs and can enable stealthy scraping or bypass of site defenses, increasing misuse risk.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The `eval` command exposes arbitrary JavaScript execution in a live browser page, enabling unrestricted DOM manipulation, data extraction, and triggering of network requests or state-changing actions within authenticated sessions. In an agent skill intended for browser automation, this materially expands capability beyond constrained interaction primitives and increases abuse risk if upstream prompts or inputs are attacker-controlled.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The login example includes filling username and password fields and then scraping a dashboard, but it provides no warning about secrets handling, session persistence, or the risk of collecting protected data. In a browser-automation skill, this context makes the omission more dangerous because the tool is specifically designed to interact with authenticated, dynamic pages where credentials and sensitive content are common.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The screenshot feature can capture rendered pages that may contain personal information, account data, tokens visible in UI, or other confidential material, yet no warning is provided. In a browser automation context this is a genuine data-handling risk because screenshots are often saved to disk and shared outside the original security boundary.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The login example demonstrates filling credentials into a remote site but provides no warning about handling secrets, user consent, destination trust, or secure storage. In an agent skill, this can normalize collecting or replaying credentials and may lead to credential exposure, phishing-style misuse, or unintended transmission of sensitive data.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The download example saves remote content directly to a caller-provided path without discussing path validation, overwrite protection, or trust of the downloaded file. In an automation context, this can lead to arbitrary local file creation or overwriting important files if the path is unsafe or attacker-influenced.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The `click` and `fill` primitives can interact with arbitrary pages and may trigger purchases, submissions, account changes, or other remote state modifications, especially when used in an authenticated browser context. Because there are no safeguards such as domain restrictions, dry-run modes, or confirmation requirements, these actions can be abused by prompt-influenced workflows to perform unintended transactions or destructive operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal