Internal Admin Playwright

Security checks across malware telemetry and agentic risk

Overview

This skill is meant for internal admin automation, but it ships sensitive-looking credentials, under-scoped network controls, and undocumented privileged moderation/debug tooling that users should review carefully before installing.

Install only if you are authorized to access the referenced admin system and can audit the package first. Remove and rotate the bundled admin and VPN credentials, disable or redact debug logging and screenshots, fix whitelist enforcement for all request types, and run any VPN changes only on an isolated machine or container where system-wide routing changes are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def sh(cmd: str, check: bool = True) -> subprocess.CompletedProcess: return subprocess.run(cmd, shell=True, text=True, capture_output=True, check=check) def load_cfg(skill_root: Path) -> dict:
Confidence: 96% confidence
Finding: return subprocess.run(cmd, shell=True, text=True, capture_output=True, check=check)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill exposes significant capabilities (environment access, file read/write, network, and shell) but does not declare permissions, which weakens reviewability and containment. In a skill that automates internal admin access and can bring up a VPN, hidden or undeclared capabilities materially increase the chance of misuse or unsafe execution beyond what operators expect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a serious mismatch between the claimed controlled admin-navigation behavior and the reported actual behaviors: bulk moderation actions, hardcoded credentials, and ineffective whitelist enforcement for non-document resources. In an internal admin automation skill, these issues can enable unauthorized access, silent outbound connections through page subresources, and high-impact actions in privileged back-office systems.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The captured internal admin login page loads a third-party Cloudflare Insights script from an external domain, which contradicts the stated internal-only/no-external-access model. In a VPN-restricted admin context, this can leak metadata such as page visits, timing, client characteristics, and potentially sensitive internal application usage to an outside service, weakening the trust boundary.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This debug script performs a real login against an internal admin system and then probes post-login UI elements, which exceeds a narrowly scoped automation skill and increases the chance of unintended access, reconnaissance, or misuse. In the context of an internal-admin Playwright skill, this is more dangerous because it targets a real privileged backend rather than a mock environment, and the script is not constrained to a fixed approved workflow.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script enumerates input fields, captures page text, screenshots failures, and searches for internal menu items after authentication, providing diagnostic and reconnaissance capabilities not justified by the declared controlled-purpose skill. In an internal admin context, these behaviors can expose sensitive interface structure or data and make privilege misuse or lateral discovery easier if the script is run by an unauthorized or over-privileged operator.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hardcodes internal admin credentials and uses them to authenticate to a privileged backend. This creates a direct secret-exposure and privilege-misuse risk: anyone with file access can reuse the credentials, and the skill can perform sensitive actions outside narrowly scoped navigation. In this context, the danger is increased because the skill automates moderation actions in an internal admin system, so compromised credentials could lead to unauthorized access and business-impacting changes.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as controlled internal admin menu automation, but this script performs substantive moderation decisions by approving or rejecting user comments based on local regex rules. That mismatch expands the effective capability of the skill beyond its declared purpose, reducing operator awareness and weakening governance over high-impact actions. In a sensitive internal-admin context, undeclared decision-making automation is more dangerous than simple navigation because it can silently alter platform content state.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script loads moderation rules from an external fallback path under another local skill directory, creating hidden cross-skill coupling and an untracked trust boundary. If that external file is modified, replaced, or maliciously populated, this script will make approval/rejection decisions based on unreviewed policy, potentially causing unauthorized moderation outcomes. The internal-admin setting makes this risk more serious because rule tampering directly drives privileged actions on production content.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill accepts HTTP_PROXY/HTTPS_PROXY from the environment and applies that proxy to the Playwright browser context, allowing all authenticated internal-admin traffic to be redirected through an arbitrary intermediary. In this skill's context—handling internal admin access, credentials, OTPs, and potentially sensitive pages—that creates a serious exfiltration and interception risk if the environment is influenced by an attacker or misconfigured.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The whitelist is enforced only for top-level document navigations, while all subresource requests such as XHR/fetch, images, scripts, fonts, and iframes are allowed to any host. In an internal-admin automation context, this can enable data exfiltration or unintended access to external systems if the loaded page, injected script, or compromised internal app causes the browser to issue non-document requests to attacker-controlled domains.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The README instructs users to supply privileged staff credentials, OTP codes, and VPN configuration for access to an internal admin system, but it does not prominently warn about the security and system-impact risks of running such automation. In this context, omission of those warnings can lead to unsafe handling of secrets, unintended routing of traffic through VPN, and execution against sensitive internal systems by users who may not understand the blast radius.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The file contains hardcoded credentials and automatically submits them to a live admin login form, which is a direct secret-management failure and creates immediate risk of credential leakage, reuse, and unauthorized access. This is especially dangerous in this skill because it targets an internal administrative backend, so exposed credentials may grant privileged access to sensitive systems and data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template instructs operators to pass privileged admin credentials and a one-time password via environment variables, but it provides no handling guidance, masking advice, or warning about shell history, process inspection, CI logs, or shared-session leakage. In an internal-admin automation context, these secrets grant access to sensitive back-office systems, so poor secret-handling practices materially increase the risk of credential exposure and unauthorized administrative access.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script submits credentials, captures screenshots, and prints part of the server response during login without safeguards around sensitive data handling. Screenshots and response bodies can contain usernames, OTPs, session state, internal URLs, or error details, which may leak into logs or temporary files and be accessible to other local users or automation. In an internal admin environment, this increases the blast radius of any local compromise or misconfigured artifact retention.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script performs state-changing moderation actions automatically, including approving or rejecting comments, without a clear warning, confirmation policy, or operator review step. That creates a risk of unintended irreversible content decisions, especially since the logic is driven by local regex rules and fallback files that may be incomplete or tampered with. The context makes this more dangerous because the skill operates on a privileged internal moderation interface rather than a test environment.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The debug logging prints the OTP and username in plaintext during login, directly exposing authentication secrets in terminal logs, CI logs, shell history captures, or session recordings. In an internal admin automation skill, this is especially dangerous because OTPs and usernames materially aid account takeover and weaken multi-factor protections.

Missing User Warnings

High

Confidence: 97% confidence
Finding: On failure, the script saves full-page screenshots and complete HTML to disk, which can capture credentials, OTP prompts, internal URLs, account data, CSRF tokens, and administrative content. Because this skill targets internal back-office systems, these artifacts may contain highly sensitive data and can persist long after the session ends, expanding the breach surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal