Trust Assessment
stealth-browser received a trust score of 21/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 2 high, 3 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Potential data exfiltration: file read + network send, Arbitrary File Write via User-Controlled Screenshot Path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 62/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/kesslerio/kesslerio-stealth-browser/scripts/camoufox-session.py:293 | |
| HIGH | Potential data exfiltration: file read + network send Function 'fetch_api' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/kesslerio/kesslerio-stealth-browser/scripts/curl-api.py:103 | |
| HIGH | Unpinned Python Package Dependencies The `pip install` commands in `scripts/setup.sh` do not specify exact versions for `camoufox` and `curl_cffi`. This introduces a significant supply chain risk, as a malicious actor could publish a new, compromised version of these packages with the same name. Future installations of this skill would then unknowingly download and execute the malicious code, potentially leading to arbitrary code execution within the `pybox` container. Pin all Python package dependencies to specific, known-good versions (e.g., `camoufox==1.2.3`). It is best practice to use a `requirements.txt` file with pinned versions and install from that file. | LLM | scripts/setup.sh:20 | |
| MEDIUM | Arbitrary File Write via User-Controlled Screenshot Path The `screenshot` argument in `camoufox-fetch.py` is directly used as a file path without validation or sanitization. An attacker could provide a path containing directory traversal sequences (e.g., `../../sensitive.png`) or an absolute path to write a screenshot of the fetched page to an arbitrary location within the `pybox` container's filesystem. This could overwrite existing files or write potentially sensitive visual information to an unexpected location. Sanitize the `screenshot` path to ensure it is confined to an intended output directory. Implement strict validation to prevent directory traversal characters (`..`, `/`) and absolute paths, or use a dedicated temporary file mechanism. | LLM | scripts/camoufox-fetch.py:79 | |
| MEDIUM | Arbitrary File Write via User-Controlled Output Path (camoufox-fetch.py) The `output` argument in `camoufox-fetch.py` is directly used as a file path for saving HTML content without validation or sanitization. Similar to the screenshot vulnerability, an attacker could provide a path containing directory traversal sequences or an absolute path to write the fetched HTML content to an arbitrary location within the `pybox` container's filesystem. This could overwrite existing files or write potentially sensitive web content to an unexpected location. Sanitize the `output` path to ensure it is confined to an intended output directory. Implement strict validation to prevent directory traversal characters (`..`, `/`) and absolute paths. | LLM | scripts/camoufox-fetch.py:84 | |
| MEDIUM | Arbitrary File Write via User-Controlled Output Path (curl-api.py) The `output` argument in `curl-api.py` is directly used as a file path for saving API response content without validation or sanitization. An attacker could provide a path containing directory traversal sequences or an absolute path to write the fetched API response to an arbitrary location within the `pybox` container's filesystem. This could overwrite existing files or write potentially sensitive API response data to an unexpected location. Sanitize the `output` path to ensure it is confined to an intended output directory. Implement strict validation to prevent directory traversal characters (`..`, `/`) and absolute paths. | LLM | scripts/curl-api.py:100 | |
| LOW | Unpinned Base Container Image Recommendation The `SKILL.md` recommends creating the `pybox` container using `fedora:latest`. Using `latest` tags for container images means that the exact image content can change over time, potentially introducing new vulnerabilities or breaking changes without explicit action. While `distrobox` provides isolation, the base image forms the foundation of the environment. Recommend pinning the base container image to a specific, stable version (e.g., `fedora:39` or `fedora:stable`) to ensure reproducibility and reduce the risk of unexpected changes or vulnerabilities introduced by upstream image updates. | LLM | SKILL.md:48 |
Scan History
Embed Code
[](https://skillshield.io/report/bf9f24d1aae72575)
Powered by SkillShield