browser-use-init

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it advertises, but it copies a logged-in Chrome profile and exposes it to powerful browser automation without enough guardrails.

Install only if you intentionally want automation tools or an LLM agent to control a real Chrome session. Use a separate automation-only Chrome profile or test accounts, avoid copying your main personal profile, close the CDP browser when finished, protect or delete the copied profile, and review start_chrome.py before running because it can terminate Chrome and preserve logged-in web sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: f' --no-first-run' f' --no-default-browser-check' ) subprocess.Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) def wait_for_cdp(timeout=20):
Confidence: 98% confidence
Finding: subprocess.Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Tainted flow: 'cmd' from os.getenv (line 68, credential/environment) → subprocess.Popen (code execution)

Medium

Category: Data Flow
Content: f' --no-first-run' f' --no-default-browser-check' ) subprocess.Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) def wait_for_cdp(timeout=20):
Confidence: 99% confidence
Finding: subprocess.Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Tainted flow: 'src_ls' from os.getenv (line 47, credential/environment) → shutil.copy2 (file write)

Medium

Category: Data Flow
Content: # 复制 Local State src_ls = os.path.join(SRC_DIR, "Local State") if os.path.exists(src_ls): shutil.copy2(src_ls, os.path.join(DST_DIR, "Local State")) # 复制 Default profile src_def = os.path.join(SRC_DIR, "Default") dst_def = os.path.join(DST_DIR, "Default")
Confidence: 93% confidence
Finding: shutil.copy2(src_ls, os.path.join(DST_DIR, "Local State"))

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script forcibly terminates all running chrome.exe processes, including unrelated user browsing sessions, without checking ownership or purpose. This can cause data loss, disrupt active work, and terminate security-sensitive browser sessions unexpectedly.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill describes automatic profile copying as a convenience feature but does not clearly warn that this duplicates sensitive browsing artifacts, including cookies, history, bookmarks, and authenticated session state, into another directory. In this context, the copied profile is then used for remote control, which materially increases the risk of session theft, unintended data exposure, or misuse of logged-in accounts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The examples show Playwright and agent-driven automation performing navigation, extraction, form filling, and submission on live websites, but they do not prominently warn that these actions execute against real accounts using the user's active logged-in browser session. Because the skill specifically preserves login state via copied profiles and CDP, mistakes or malicious downstream prompts could trigger irreversible actions such as purchases, submissions, account changes, or data exfiltration.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document instructs users to copy a live Chrome profile, including Local State and profile data containing authenticated session artifacts, in order to operate the browser through CDP. Even if framed as a compatibility workaround, this meaningfully increases the risk of exposing cookies, tokens, browsing history, and other sensitive data, especially because the guidance does not include explicit privacy warnings, scope limitations, or handling safeguards.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guidance enables Chrome remote debugging and explicitly uses --remote-allow-origins=* while omitting any strong warning that CDP provides near-complete browser control, including access to authenticated pages, cookies via browser context, page content, and arbitrary navigation/actions. In the context of an automation skill intended for scraping, form filling, and agent-driven browsing, exposing a debugging interface without security caveats materially raises the chance of account takeover or sensitive data misuse if the port becomes reachable by other local or network actors.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Force-killing all Chrome processes without prior warning or confirmation is unsafe because users can lose unsaved work and active sessions. In an automation skill, this is more dangerous because it may run non-interactively and affect the host environment unexpectedly.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script clones the user's Chrome profile data, including Local State and the Default profile, into another directory to preserve login state for automation. This duplicates cookies, tokens, and browsing data into a new location, increasing exposure of sensitive session material and privacy risk, especially because the skill is explicitly designed for remote browser control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal