BrowseCTL

Security checks across malware telemetry and agentic risk

Overview

BrowseCTL appears to be a real browser automation tool, but it needs review because it can copy logged-in browser cookies and extensions into agent-controlled sessions and keeps browser state on disk.

Install only if you are comfortable giving an agent real browser-control authority. Use a dedicated automation browser profile, prefer --no-copy-data unless you intentionally want logged-in sessions, avoid entering secrets in the REPL, review batch files before running them, and periodically clear sessions, profiles, screenshots, REPL history, and WebDriver processes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly states that installation and setup automatically download platform-specific binaries and write configuration files, but it does not prominently warn users about the resulting network access, executable retrieval, and local filesystem changes. In an AI-driven browser automation tool, this behavior increases supply-chain and transparency risk because users or agents may install and run it in sensitive environments without understanding that unpinned external binaries will be fetched and persisted locally.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill encourages persistent sessions and documents a reusable user-data directory, but does not clearly warn that browser profiles may retain cookies, tokens, history, and other sensitive state across invocations. In an AI-agent context, this increases the risk of unintended access to authenticated sessions or leakage of sensitive browsing artifacts between tasks.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The setup instructions tell users to run `browsectl setup`, which auto-detects browsers and downloads a matching WebDriver binary, but do not clearly disclose the network access and local system changes involved. This can lead to users or agents performing unexpected downloads and installation-side effects in environments with strict trust, supply-chain, or change-control requirements.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly states that browser sessions persist to `.browsectl/sessions.json` across CLI invocations, but it does not warn that persisted session identifiers, browser state, and associated profile data may expose sensitive browsing context or authenticated sessions to other local users, logs, backups, or later agent runs. In an AI-driven browser automation tool, this is more dangerous because agents may unknowingly reuse authenticated sessions and access prior user data without clear user consent or visibility.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly promotes capturing screenshots to local files but does not warn that screenshots may contain sensitive page content such as session data, personal information, prompts, or QR login tokens. In an AI-driven browser automation context, this increases the risk of silent local data retention and unintended disclosure, especially when agents operate on authenticated or user-specific pages.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The file states that session tab state is persisted to `.browsectl/sessions.json` without warning users that browsing/session-related metadata is stored locally. In this skill's context, persisted session state can reveal browsing targets, aliases, handles, and workflow history, creating privacy and forensic exposure on shared or multi-tenant systems.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The command is explicitly designed to extract the latest chat message including text, HTML, links, and image metadata, which can expose sensitive page content to the calling agent or downstream systems. In an AI-driven browser-control context, this materially increases data-exfiltration risk because chat interfaces often contain credentials, personal data, or proprietary information.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The `js` wait condition evaluates raw JavaScript in the page context, enabling arbitrary script execution against any visited site. Even if intended for automation, this is dangerous because untrusted or prompt-influenced inputs could invoke DOM reads, state changes, or data extraction beyond simple waiting semantics.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation states that in non-interactive mode the tool defaults to copying cookies and extensions from the user's real browser profile into the automation profile. That behavior can silently transfer sensitive authenticated state and installed extension data into an automated environment, increasing the risk of credential leakage, session misuse, and privacy violations—especially when the session is persisted and reused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal