Back to skill

Security audit

Web Browsing.Bak

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward web-browsing helper, but users should avoid giving it private URLs or sensitive search terms.

Install only if you are comfortable with your search terms and requested URLs being sent to DuckDuckGo and the websites being fetched. Do not provide internal links, localhost/private-network URLs, tokenized URLs, credentials, personal data, or confidential research queries. Verify the package identity if you expected an official or non-forked web-browsing skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description encourages internet browsing, URL fetching, and search without warning that user-supplied URLs and queries may be transmitted to external websites or search providers. That omission can cause inadvertent disclosure of sensitive links, internal URLs, tokens in query strings, or private research topics to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples and best-practice guidance actively encourage users to submit arbitrary URLs for retrieval and analysis, but provide no warning about privacy, SSRF-style access risks, or the possibility of contacting attacker-controlled infrastructure. In a browsing skill, this context increases danger because arbitrary-link handling is the core feature and will be routinely invoked on untrusted input.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The guide demonstrates search and URL fetching but does not warn that user queries, target URLs, and related metadata may be sent to external search engines or websites. In a web-browsing skill, this can lead to unintended disclosure of sensitive prompts, internal URLs, or identifiers if users or downstream agents pass private data into these functions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.