Chrome CDP Browser Operator

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs careful review because it can control a logged-in Chrome/X session, collect contact details from posts, send notifications, and publish replies when live mode is enabled.

Install only if you intentionally want an agent to operate a dedicated Chrome profile and possibly an X account. Use a separate low-risk browser profile, keep CDP local and disabled when not needed, review draft outputs before enabling live mode, avoid --apply unless you accept public posting from that account, and enable Telegram only if you are comfortable sending extracted contact details to that destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises shell, file read, and file write capabilities through referenced scripts but does not declare permissions. This weakens trust boundaries and reviewability, making it easier for a caller to invoke powerful local actions without clear upfront disclosure or policy gating. In the context of a browser operator that can attach to a real logged-in Chrome profile, undeclared local capabilities increase the risk of unauthorized automation, persistence, or data access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose presents the skill as a general browser automation helper, while the detected behavior is specialized for X/Twitter outreach: searching posts, extracting contact signals, generating canned responses, and posting replies with state tracking. That mismatch is dangerous because it conceals a social-media automation and engagement workflow that could be used for spam, lead harvesting, or deceptive outreach, especially when driven through a real logged-in browser profile.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata presents this as a general Chrome/CDP browser operator, but the implementation is specialized for scanning X/Twitter, classifying user posts, and drafting or sending replies. This capability mismatch is dangerous because it conceals social-media targeting and outreach behavior behind a broader browser-automation description, increasing the risk of deceptive deployment and misuse.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code analyzes social-media content for issue types, extracts contact information, scores likely leads, and prepares templated outreach unrelated to the claimed browser-operator purpose. In context, this expands the skill into unsolicited profiling and engagement automation using a logged-in real browser session, which materially increases abuse potential.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The installer generates a configuration specifically for automated X/Twitter search-and-reply behavior, including keywords, reply limits, cooldowns, and a base URL of x.com/home. That goes beyond a generic browser-operation skill and materially enables social-media automation from an attached real Chrome profile, which increases abuse potential such as spam, impersonation, or unwanted actions from a logged-in account.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation text is broad enough to match many ordinary browser-use requests, increasing the chance that the skill is selected in situations where a less-privileged tool would suffice. Because this skill can control a real browser session, broad routing language can unintentionally expand access to authenticated websites and sensitive user context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown does not prominently warn that the skill can attach to an existing logged-in Chrome profile and drive a real browser session. That omission is significant because attaching to a live authenticated profile grants access to cookies, sessions, and user context, enabling high-impact actions on behalf of the user if the skill is invoked unexpectedly or too broadly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs users to run Chrome with a remote debugging port and keep a logged-in profile attached, but it does not warn that anyone with access to that CDP endpoint can inspect pages, extract session data, and operate the browser as the user. Even though the endpoint is bound to 127.0.0.1 in the example, local malware, other local users, or any process with local access could abuse it, and reusing a real profile increases the blast radius.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Detected phone numbers or email addresses from public posts are forwarded to an external messaging command without any consent, minimization, or user-facing disclosure. This creates a privacy and data-handling risk because scraped contact data is exfiltrated out of the browsing workflow to another channel, potentially exposing sensitive personal information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal