Trust Assessment
nova-act received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Prompt Injection in 'task' parameter, Data Exfiltration via arbitrary URL navigation and prompt-driven extraction, Unpinned dependencies in 'nova_act_runner.py'.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Prompt Injection in 'task' parameter The 'task' parameter, which is a natural language prompt, is directly passed to the 'nova.act_get()' function of the 'NovaAct' browser automation tool. A malicious user can craft this prompt to manipulate the underlying LLM controlling the browser, leading to unintended actions such as navigating to arbitrary websites, extracting sensitive data from the browser context (e.g., cookies, local storage, form data), or attempting to exfiltrate data. The 'SKILL.md' explicitly states the 'task' is a 'Natural language task description', confirming its susceptibility to prompt injection. Implement robust prompt sanitization or validation to restrict the scope of actions the LLM can perform based on user input. Consider using a fixed set of allowed actions or a more structured input format for critical operations. If natural language is required, employ techniques like prompt templating with strict variable insertion, or a separate LLM-based safety layer to filter malicious instructions. | LLM | scripts/nova_act_runner.py:46 | |
| HIGH | Data Exfiltration via arbitrary URL navigation and prompt-driven extraction The 'url' parameter, directly controlled by the user, is used to set the 'starting_page' for the 'NovaAct' browser instance. This allows the skill to navigate to any arbitrary URL, including potentially malicious ones. Combined with the prompt injection vulnerability in the 'task' parameter, a malicious user could instruct the browser to navigate to a controlled domain and then use 'nova.act_get()' to extract sensitive information (e.g., from the browser's current session, local storage, or even environment variables if the browser process has access) and exfiltrate it to the attacker-controlled URL or via the skill's output channel. Restrict the 'url' parameter to a whitelist of trusted domains or implement strict URL validation to prevent navigation to arbitrary external sites. Additionally, ensure the 'NovaAct' browser instance operates in a highly isolated environment (e.g., ephemeral, sandboxed container) with no access to host system resources or other browser sessions. Review the 'NovaAct' library's capabilities for data extraction and exfiltration. | LLM | scripts/nova_act_runner.py:45 | |
| MEDIUM | Unpinned dependencies in 'nova_act_runner.py' The 'scripts/nova_act_runner.py' file specifies dependencies ('nova-act', 'pydantic>=2.0', 'fire') without pinning them to exact versions. This introduces a supply chain risk where a future, potentially vulnerable or malicious, version of any of these libraries could be installed, compromising the skill. While 'pydantic' and 'fire' are widely used, 'nova-act' is a custom library whose security posture is unknown. Pin all dependencies to exact versions (e.g., 'nova-act==1.2.3', 'pydantic==2.5.3', 'fire==0.5.0') to ensure deterministic builds and prevent unexpected changes from upstream packages. Regularly review and update these pinned versions. | LLM | scripts/nova_act_runner.py:3 |
Scan History
Embed Code
[](https://skillshield.io/report/0ff4829d50a66e1b)
Powered by SkillShield