Back to skill

Security audit

Browser CDP Connect

Security checks across malware telemetry and agentic risk

Overview

This skill openly connects an agent to the user's logged-in Chrome browser to bypass anti-bot blocks, which creates meaningful account, privacy, and persistence risks.

Install only if you intentionally want an agent to control a logged-in Chrome session for authorized sites. Prefer a separate Chrome profile with no personal accounts, avoid sensitive tabs, and clear browser.cdp_url after the task so future automation does not keep using your real browser.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs reading a local Chrome DevToolsActivePort file and persisting browser.cdp_url into config.yaml, which are file read/write capabilities not declared in permissions. Undeclared capability use weakens user and platform trust boundaries because the skill can alter persistent browser-routing behavior without an explicit capability declaration.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is specifically designed to attach the agent to the user's everyday Chrome profile with active cookies, sessions, and account state, but the description does not prominently warn that the agent will inherit access to whatever sites the browser is logged into. That creates a serious risk of unintended access, data exposure, and account actions performed under the user's identity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions direct the user to persist browser.cdp_url in config.yaml and emphasize that it takes effect immediately and for future calls, but do not clearly foreground that this alters future browser sessions until manually reverted. A persistent CDP endpoint can silently keep later browsing attached to the user's real Chrome session, expanding exposure beyond the immediate task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persistently modifies Hermes browser configuration to point at the user's daily Chrome via CDP, which can silently redirect future automation into a live logged-in browser profile without explicit confirmation. In this skill's context, that is especially dangerous because the stated purpose is to bypass anti-bot protections by using the user's real session and behavioral fingerprint, increasing the risk of unintended access to sensitive cookies, authenticated content, and cross-session data exposure.

Ssd 4

High
Confidence
98% confidence
Finding
The skill explicitly guides the agent to connect to the user's logged-in Chrome in order to access sites that block headless automation, using the user's authenticated state as a means of bypassing anti-bot controls. This is dangerous because it combines defense evasion with privileged access under the user's identity, increasing legal, privacy, and account-security risk.

Ssd 2

High
Confidence
97% confidence
Finding
The text explicitly states that the user's real login state and human behavior characteristics are advantageous because they avoid bot detection, which is a semantic instruction for evading anti-crawling controls. Framing the technique as normal browser use does not reduce the risk; it encourages covert access using trusted user state to defeat platform safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.