Trust Assessment
browser-ability received a trust score of 63/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Potential Command Injection via Tool Name or Arguments, High-Privilege Browser Automation via Chrome DevTools Protocol (CDP).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via Tool Name or Arguments The `script.js` file processes user-controlled `name` (tool name) and `args` (tool arguments) from command-line input. These inputs are then passed to `mcpClient.callTool()` from the `@modelcontextprotocol/sdk`. The `package-lock.json` indicates that `@modelcontextprotocol/sdk` depends on `cross-spawn`, a library used for executing external commands. If the `callTool` method in the SDK directly uses the user-provided `name` as an executable and `args` as its arguments in a shell context without proper sanitization or quoting, an attacker could inject arbitrary shell commands. For example, a malicious `name` like `'; rm -rf /; echo '` or `args` crafted to break out of command arguments could lead to remote code execution on the system where the skill is executed. The `@modelcontextprotocol/sdk`'s `callTool` implementation must ensure that `name` and `arguments` are never directly executed in a shell without strict validation and sanitization. If `name` refers to an executable, it should be a whitelisted, absolute path, and arguments should be passed as an array to `spawn` (or `cross-spawn`) to prevent shell interpretation. If `name` refers to an internal function, ensure no shell execution occurs. | LLM | script.js:79 | |
| HIGH | High-Privilege Browser Automation via Chrome DevTools Protocol (CDP) The skill's core functionality involves connecting to a Chrome DevTools Protocol (CDP) endpoint, configured via the `CDP_URL` environment variable. CDP grants extensive control over a browser instance, including arbitrary JavaScript execution, network interception, and potential access to local files if the browser is not properly sandboxed. While `script.js` itself doesn't expose `CDP_URL` to direct user input, the inherent power of CDP means that if an attacker can achieve prompt injection into the host LLM, they could instruct the agent to use this skill to perform highly privileged actions within the browser. This could lead to data exfiltration, malicious navigation, or other compromises if the CDP-controlled browser is not adequately isolated from the host system. The `SKILL.md` explicitly mentions 'just directly use browser via CDP connection' if no tools are available, highlighting this broad capability. Ensure the CDP endpoint points to a strictly sandboxed browser instance, ideally running in an isolated container or virtual machine with no access to the host filesystem or network beyond what is absolutely necessary. Implement strict content security policies within the browser. Limit the types of URLs the browser can navigate to. Consider implementing a proxy or a more granular permission model for CDP commands. | LLM | script.js:15 | |
| MEDIUM | Unpinned npm dependency version Dependency '@modelcontextprotocol/sdk' is not pinned to an exact version ('^1.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/faisalive/browser-ability/package.json | |
| MEDIUM | Unpinned Dependencies in `package.json` The `package.json` file uses caret (`^`) ranges for its direct dependencies (`@modelcontextprotocol/sdk: ^1.0.0`, `dotenv: ^16.4.0`). This means that `npm install` could pull in any future minor or patch versions of these packages. While `package-lock.json` pins exact versions, a fresh `npm install` on a new environment might resolve to a newer, potentially vulnerable version if a supply chain attack or a new vulnerability is introduced in a later release within the specified range. This increases the risk of inadvertently introducing vulnerabilities or malicious code. Pin dependencies to exact versions (e.g., `1.0.0` instead of `^1.0.0`) to ensure deterministic builds and prevent unexpected updates. Regularly audit and update dependencies to known secure versions. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/894a7dd212f50d5d)
Powered by SkillShield