Agent Browser Backup 20260407

Security checks across malware telemetry and agentic risk

Overview

This is a coherent browser-automation skill, but it gives agents broad control over authenticated browser sessions and saved local artifacts without enough safety boundaries or warnings.

Install only if you need broad browser automation and trust the upstream agent-browser CLI. Use it only on sites you are authorized to automate, require explicit confirmation before submitting forms, uploading files, making account changes, or reusing saved login state, and protect auth.json, screenshots, recordings, traces, PDFs, logs, and extracted data like secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest description materially understates the skill's capabilities. Beyond simple navigation and form interaction, the skill can persist session state, inspect and modify cookies/storage, inject headers/credentials, intercept or mock network traffic, write artifacts to disk, and execute arbitrary JavaScript, which affects how a caller should assess trust and risk.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The documented `eval` command enables arbitrary JavaScript execution in the browser context, which can read page data, manipulate application state, and trigger privileged actions under the current authenticated session. Because this capability is not reflected in the manifest's stated purpose, consumers may authorize the skill without understanding that it can execute arbitrary code against live sites.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Network interception and response mocking go beyond ordinary browsing and allow the skill to alter requests and responses, block traffic, and potentially tamper with application behavior or exfiltration paths. When such capability is not clearly disclosed, the skill appears narrower and safer than it is, increasing the risk of misuse in trusted environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill encourages saving screenshots, PDFs, videos, traces, and related artifacts to disk without warning that they may contain credentials, personal data, internal pages, or other sensitive information. In an agent setting, silent local persistence can create unintended retention and later disclosure risks, especially on shared hosts or in logs/artifact stores.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The commands for cookies, storage, credentials, custom headers, and state save/load directly handle authentication material and other secrets. Without clear warnings, users or agents may export, reuse, or store live session data insecurely, enabling account takeover or unauthorized access if those files or values are exposed.

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The markdown provides copy-pastable browser automation commands that cause side effects, including writing a screenshot file to disk, without any warning or guidance about what the commands do. In an agent-executed context, this can lead to unintended file creation and network access, especially if users run the examples verbatim without understanding their operational effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to save authenticated browser state to a local file (`auth.json`) without warning that such state commonly contains session cookies, tokens, and other reusable authentication artifacts. If that file is stored insecurely, committed to source control, or shared between agents/users, an attacker could reuse the session and gain unauthorized access.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The form automation example demonstrates submitting personal data such as name, email, phone number, and city, but does not warn about privacy, consent, or the risk of sending real data to third-party sites. In an agent-execution context, this can normalize automated submission of sensitive information and lead to accidental disclosure or noncompliant data handling.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The screenshot, recording, and PDF export examples encourage capturing full page contents without noting that these artifacts may include passwords, account data, tokens, internal documents, or other sensitive information visible in the browser. Such files are easy to persist, copy, or upload elsewhere, creating a secondary data exposure path beyond the live browsing session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal