Trust Assessment
browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via User Input, Potential Credential Harvesting and Data Exfiltration of API Keys, Unspecified Supply Chain Risks from `npm install`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User Input The skill is designed to execute `browser` CLI commands via `Bash` and accepts user-provided arguments such as `<url>`, `<action>`, `<instruction>`, and `<query>`. If these arguments are not rigorously sanitized and escaped before being interpolated into shell commands, a malicious user could inject arbitrary shell commands. For instance, providing a URL like `https://example.com; rm -rf /` could lead to arbitrary code execution on the host system. Implement robust input sanitization and escaping for all user-provided arguments before constructing and executing shell commands. Use secure methods for command execution (e.g., `subprocess.run` with `shell=False` in Python, or passing arguments as an array to `child_process.spawn` in Node.js) to prevent shell metacharacter interpretation. | LLM | SKILL.md:30 | |
| HIGH | Potential Credential Harvesting and Data Exfiltration of API Keys The skill explicitly mentions reading `BROWSERBASE_API_KEY` and `BROWSERBASE_PROJECT_ID` from the `.env` file for its operation. Given the declared `Bash` permissions, there is a credible path for a malicious or compromised skill to access and exfiltrate these sensitive API keys to an external server or log them insecurely. While the `SKILL.md` does not show the exfiltration mechanism, the capability to read credentials and execute arbitrary shell commands creates a significant risk. Thoroughly audit the underlying `browser` script for secure handling of credentials. Implement strict logging practices to prevent accidental exposure of sensitive data. For production environments, consider using platform-provided secret management solutions instead of `.env` files. | LLM | SKILL.md:10 | |
| MEDIUM | Unspecified Supply Chain Risks from `npm install` The setup instructions include `npm install`, which introduces supply chain risks. Without access to the `package.json` and `package-lock.json` files, it is impossible to verify dependencies for unpinned versions, known vulnerabilities, or potential typosquatting. A malicious or compromised package could lead to a compromise of the skill's execution environment. Provide `package.json` and `package-lock.json` for review. Ensure all dependencies are pinned to specific, known-good versions. Regularly audit dependencies for vulnerabilities using tools like `npm audit`. Consider using a private package registry or dependency-checking services. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/e71e36441970dfbf)
Powered by SkillShield