Trust Assessment
verify-on-browser received a trust score of 51/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 0 high, 2 medium, and 1 low severity. Key findings include Missing required field: name, Unpinned npm dependency version, Excessive Permissions: Full CDP Access with Arbitrary Command Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Permissions: Full CDP Access with Arbitrary Command Execution The `cdp_send` tool explicitly allows calling 'ANY Chrome DevTools Protocol method' as described in SKILL.md and implemented in server.js. This grants the AI agent full, unrestricted control over the browser instance. This capability can be exploited for data exfiltration (e.g., reading cookies, local storage, or DOM content from any visited page), arbitrary JavaScript execution (via `Runtime.evaluate`), navigation to malicious sites, and simulation of user interactions (e.g., clicks, form submissions). This level of control is inherently dangerous when exposed to an LLM agent, as it can be prompted to perform actions with severe security implications. Implement strict allow-listing for CDP methods and parameters that the `cdp_send` tool can execute. Avoid allowing methods like `Runtime.evaluate`, `Network.getCookies`, `DOMStorage.getDOMStorageItems`, or `Page.navigate` without severe restrictions and sanitization. If full CDP access is truly required, ensure the browser environment is completely isolated and ephemeral, and that no sensitive data can be accessed or exfiltrated. | LLM | SKILL.md:13 | |
| CRITICAL | Dangerous Browser Configuration: Disabled Web Security The browser is launched with `--disable-web-security` and `--allow-running-insecure-content` flags. `--disable-web-security` completely disables the same-origin policy, a fundamental security mechanism of web browsers. This allows JavaScript from any origin to interact with content from any other origin, enabling universal cross-site scripting (UXSS) and trivial data exfiltration across domains. `--allow-running-insecure-content` permits mixed content, further weakening security. This configuration makes the browser instance extremely vulnerable to attacks, allowing an agent (or a malicious website it visits) to access and exfiltrate sensitive user data from any loaded page. Remove `--disable-web-security` and `--allow-running-insecure-content` from the browser launch arguments. These flags should never be used in a production or security-sensitive environment. If specific cross-origin functionality is needed, implement it through secure, standard web mechanisms (e.g., CORS, proxying) rather than disabling core browser security. | LLM | server.js:18 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/myestery/verify-on-browser/SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@modelcontextprotocol/sdk' is not pinned to an exact version ('^1.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/myestery/verify-on-browser/package.json | |
| LOW | Unpinned Dependencies in package.json The `package.json` file uses caret (`^`) ranges for dependencies (`@modelcontextprotocol/sdk`, `playwright`, `zod`). While `package-lock.json` pins exact versions, relying solely on `package.json` (e.g., in environments where `npm install` is used instead of `npm ci`, or if `package-lock.json` is not present/respected) could lead to unexpected minor or patch updates. These updates, though generally safe, could potentially introduce new vulnerabilities or breaking changes without explicit review. Consider pinning dependencies to exact versions in `package.json` (e.g., `"playwright": "1.48.0"`) to ensure deterministic builds and prevent unintended updates. Alternatively, ensure that `npm ci` is consistently used in all build and deployment pipelines to leverage the exact versions specified in `package-lock.json`. | LLM | package.json:10 |
Scan History
Embed Code
[](https://skillshield.io/report/a52f64e99a3d6401)
Powered by SkillShield