Trust Assessment
smooth-browser received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 5 high, 1 medium, and 0 low severity. Key findings include Nested Prompt Injection via 'smooth run', Data Exfiltration via Web Scraping Commands, Data Exfiltration via Local File Upload.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Nested Prompt Injection via 'smooth run' The `smooth run` command takes natural language input that is processed by an internal AI agent. This creates a nested prompt injection vulnerability. A malicious prompt to the outer LLM could instruct the `smooth` agent to perform unintended actions within the browser, such as navigating to harmful websites, interacting with sensitive elements, or extracting private data. Implement strict input validation and sanitization for all natural language prompts passed to `smooth run`. Consider using a allow-list for actions or domains, and ensure the `smooth` agent operates with least privilege. Educate users on the risks of providing untrusted input to the agent. | LLM | SKILL.md:67 | |
| HIGH | Data Exfiltration via Web Scraping Commands The `smooth run` and `smooth extract` commands are explicitly designed to extract data from web pages. If the LLM is compromised via prompt injection, it could be instructed to extract sensitive information (e.g., personally identifiable information, financial data, credentials) from any visited website, leading to data exfiltration. Restrict the domains the agent can access using `--allowed-urls` to trusted sites only. Implement content filtering or data loss prevention (DLP) mechanisms on extracted data. Ensure sensitive data is not exposed on web pages accessible to the agent. | LLM | SKILL.md:72 | |
| HIGH | Data Exfiltration via Local File Upload The `smooth upload-file` command allows the agent to upload arbitrary local files. A malicious instruction, potentially via prompt injection, could lead to the exfiltration of sensitive files from the host system where the `smooth` CLI is executed. Restrict the directories from which files can be uploaded. Implement strict validation on file types and content. Ensure the LLM is not instructed to upload files from sensitive locations based on untrusted input. | LLM | SKILL.md:255 | |
| HIGH | Excessive Permissions for Browser Automation The `smooth` tool grants extensive permissions, including full web browsing capabilities, arbitrary JavaScript execution (`smooth evaluate-js`), and local file system interaction (upload/download). While `--allowed-urls` offers some mitigation, it's optional. Without strict controls, a compromised agent could leverage these broad permissions for a wide range of malicious activities, including XSS within the browser session, unauthorized data access, or system compromise. Always use the `--allowed-urls` option to restrict the agent's browsing scope to necessary domains. Implement strict validation and sanitization for any JavaScript code executed via `evaluate-js`. Run the `smooth` CLI in a sandboxed or containerized environment with minimal privileges. | LLM | SKILL.md:327 | |
| HIGH | Unpinned Dependency in Installation Instructions The installation instruction `pip install smooth-py` does not specify a version. This unpinned dependency introduces a supply chain risk, as a malicious update to the `smooth-py` package could be automatically installed, leading to compromise of the environment where the skill is used. Pin the dependency to a specific, known-good version (e.g., `pip install smooth-py==X.Y.Z`). Consider using dependency locking tools and verifying package integrity (e.g., via hashes). | LLM | SKILL.md:10 | |
| MEDIUM | Credential Harvesting via Configuration Display The `smooth config --show` command is explicitly provided to display configuration. If the API key or other sensitive credentials are stored in the configuration and displayed by this command, they could be harvested or exfiltrated if the LLM is prompted to execute this command and then output the result. Ensure that sensitive credentials like API keys are not displayed by `smooth config --show` or are masked. Implement secure storage for API keys (e.g., environment variables, secret management services) rather than plain-text configuration files. | LLM | SKILL.md:21 |
Scan History
Embed Code
[](https://skillshield.io/report/e431e349d5c58eb4)
Powered by SkillShield