Agentic Browser 0.1.2

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate browser automation skill, but it gives an agent broad control over web sessions and includes under-warned examples involving cookies, proxies, recordings, uploads, and form submission.

Install only if you trust inference.sh and need broad browser automation. Use it only on sites and accounts you are authorized to automate, require explicit approval before login, form submission, upload, JavaScript execution, screenshot, recording, or proxy use, avoid exporting cookies, and close sessions promptly after each task.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The documentation states that JavaScript can retrieve httpOnly cookies, which is false and can mislead users into building insecure or incorrect authentication-handling workflows. In a browser automation skill that supports JavaScript execution and authenticated sessions, misleading guidance around cookie access can cause users to overestimate what page JavaScript can exfiltrate, weakening threat modeling and potentially encouraging unsafe session-export practices.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad terms like "browser," "click," "screenshot," and "research," which can cause the skill to activate in unrelated contexts. Because this skill enables powerful browser automation, accidental invocation could lead to unintended web actions, scraping, form interaction, or exposure of sensitive browsing context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The description highlights capabilities like web scraping, form filling, file upload, video recording, proxying, and JavaScript execution without warning about privacy, credential, and data-handling risks. Users or calling agents may underestimate the sensitivity of these operations and permit actions that capture personal data, session information, or interact with third-party sites without adequate consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The cookie extraction section provides commands to dump session cookies without prominently warning that these values are highly sensitive bearer credentials. In the context of an agent-browser skill designed for authenticated browsing and automation, this is more dangerous because users may routinely operate logged-in sessions; copied cookies can enable session hijacking, lateral movement into other tools, or accidental leakage via logs, terminals, or transcripts.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation includes authenticated proxy examples and corporate proxy credential usage without clearly warning that the proxy operator can observe destination metadata and potentially sensitive traffic. In a browser automation skill, users may route authenticated sessions, cookies, or internal/vendor access through third-party or enterprise proxies, creating a meaningful credential and data exposure risk if the trust boundary is not made explicit.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The 'Privacy and Anonymity' section suggests that using a proxy provides privacy/anonymity, but proxies do not inherently guarantee anonymity and may themselves track users or leak identifying data through browser fingerprints, DNS, cookies, or account logins. This can mislead users into adopting unsafe operational assumptions, especially in an agent-driven browser that can carry rich identifying context.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that sessions persist cookies, storage, history, page state, and video buffers across calls, but it does not warn users that this retained state may contain authentication tokens, personal data, or other sensitive artifacts. In a browser-automation skill, that omission is risky because users may unknowingly reuse or expose live authenticated sessions across multi-step workflows, increasing the chance of unintended data access or leakage.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly recommends using arbitrary JavaScript (`document.querySelector(...).click()`) and says iframes can be handled with `execute` JS, but it provides no warning that JS execution bypasses the safer `@e` ref model and can trigger unintended actions, access page state broadly, or interact with hidden elements. In a browser-automation skill, this expands the attack surface because an agent may resort to direct DOM scripting on untrusted pages, increasing the risk of unsafe interactions, data exposure, or bypassing built-in guardrails.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation encourages broad use of session video recording for debugging, CI artifacts, documentation, and auditing, but only briefly notes not to record sensitive sessions and does not clearly warn that videos can capture credentials, tokens, PII, admin consoles, or other on-screen secrets and create persistent files that may be copied, archived, or exposed. In the context of a browser automation skill with form filling, file upload, and admin-task usage, this omission materially increases the risk of sensitive data retention and secondary disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The template demonstrates submitting data pulled from environment variables to an arbitrary user-supplied URL without any explicit warning, confirmation step, or trust-boundary guidance. In the context of a browser automation skill designed for scraping and form interaction, this increases the risk of accidental exfiltration of sensitive data such as names, emails, or other secrets to external sites, especially if users adapt the template without understanding the transmission risk.

Ssd 2

Medium

Confidence: 97% confidence
Finding: The documentation explicitly promotes rotating proxies to avoid website rate limits while scraping, which is guidance for evading access controls and usage restrictions. In the context of an agent browser skill with scraping and automation capabilities, this materially lowers the barrier to abusive collection and policy circumvention at scale.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal