Fast Browser Use Local

Security checks across malware telemetry and agentic risk

Overview

This is a powerful local browser automation skill, but its own docs and code under-scope sensitive session, cookie, scraping, and browser-control behavior.

Install only if you intentionally want a high-power local Chrome automation tool and are comfortable with agents seeing page contents, form values, tab URLs, cookies, and saved session files. Avoid using it on protected third-party sites, do not save session files in shared or synced folders, and review every request involving cookies, raw JavaScript, screenshots, or filesystem paths.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (17)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly enables network-capable browser automation but declares no permissions or user-facing constraints. That mismatch reduces transparency and can cause agents or users to invoke broad web access without informed approval, especially when combined with scraping and session-handling features.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The tool's behavior and its reported outcome are inconsistent: comments state it only closes tabs as a proxy, while the API reports that the browser was closed successfully. This can mislead downstream agents or workflows into assuming the browser process and session state are gone when they may still persist, creating incorrect security assumptions around cleanup, session isolation, and resource lifecycle.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation normalizes session reuse, cookie handling, and large-scale harvesting without privacy, consent, or account-security warnings. In an agent setting, this can lead to unauthorized scraping, leakage of authenticated session material, or misuse of personal/account data under the guise of routine automation.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The skill explicitly promotes bypassing bot detection and 'cookie heist' behavior, which goes beyond neutral automation and encourages evasion and session theft patterns. This materially increases the likelihood of unauthorized access, terms-of-service violations, and misuse of authenticated browser state.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrases are generic and overlap with common user intents such as browsing, searching, and opening a browser. In a skill with both network and filesystem permissions, this increases the chance of unintended invocation, which could lead to unsolicited web access or local file interaction under normal conversation flows.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The Login command serializes browser cookies and writes them to an arbitrary file path without any warning, consent language, file-permission hardening, or encryption. Session cookies often represent active authentication state, so storing them in plaintext can expose accounts if the file is read by another local user, copied into logs/backups, or committed to source control.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code explicitly captures live values from INPUT and TEXTAREA elements and inserts them into the serialized DOM snapshot. In an agent/browser-use context, this can expose secrets such as passwords, OTPs, personal data, search queries, and draft content to downstream consumers, logs, or remote models without any minimization or consent gate.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The serializer includes href targets and builds selectors that reveal precise page structure and element locations. In an automation/agent setting, this can leak internal routes, tokenized links, account-specific URLs, and page topology that may be sensitive when transmitted off-page or stored in logs.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The tool writes PNG bytes to an arbitrary filesystem path supplied in `params.path` with no validation, restriction, or confirmation. In an agent/tooling context, this can be abused to overwrite files the process can access, create files in sensitive locations, or clobber application state, especially if an LLM or untrusted caller can influence tool parameters.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The get_cookies tool exposes all session cookies from the active browser context with no visible access control, user-consent check, scoping enforcement, or audit signal in this code path. Cookies often contain session tokens and authentication state, so an agent or prompt that can invoke this tool could exfiltrate sensitive credentials across sites; the optional URL filter parameter is defined but not enforced here, which further increases risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The set_cookies tool lets callers inject arbitrary cookies into the browser session without visible validation, origin restrictions, or user confirmation. This can alter authenticated state, enable session fixation or account confusion, and bypass normal login flows by planting attacker-controlled cookies for target domains.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This tool directly executes arbitrary JavaScript supplied in `params.code` inside the active browser tab with no visible confirmation, policy gate, or restriction. In an agent skill, this is dangerous because prompts or upstream tools can cause silent DOM access, data extraction, state-changing actions, or script-driven interaction with authenticated pages in the user's browser session.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tool opens and navigates a browser tab to a user-controlled URL with no allowlist, scheme restriction, confirmation, or disclosure visible in this code path. In an agent skill context, this can be abused to drive the browser to attacker-controlled pages, enabling phishing, unwanted network access, or interaction with sensitive internal resources depending on the browser/session environment.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The tool returns a full ARIA-derived page snapshot, which can expose sensitive on-page content such as user data, tokens rendered in the UI, internal links, or security-relevant state to any caller of the tool. In an agent/browser-use context, this materially increases data-exfiltration risk because the snapshot is designed for broad AI consumption and is returned without any consent gate, scope restriction, or redaction.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This tool enumerates all browser tabs and returns both titles and full URLs, which can expose sensitive user data such as internal app names, document titles, session-bearing URLs, search queries, or account-specific pages. In an agent/browser-automation skill, this is particularly risky because tab metadata from unrelated browsing context may be disclosed to the model or downstream callers without clear user consent or scoping.

Ssd 4

High

Confidence: 97% confidence
Finding: Framing session theft as a standard workflow desensitizes users and agents to the security significance of saved authenticated state. Session artifacts can function as bearer tokens, so encouraging their capture and reuse can enable account takeover or unauthorized access if the file is copied, exposed, or reused outside intended boundaries.

Ssd 2

Medium

Confidence: 93% confidence
Finding: Describing bot-evasion as 'human emulation' obscures the underlying intent while still instructing users how to avoid detection controls. This makes the behavior more dangerous in context because it is packaged as an acceptable recipe rather than an explicitly risky or restricted action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal