Security Audit
pinchtab/pinchtab:skill/pinchtab
github.com/pinchtab/pinchtabTrust Assessment
pinchtab/pinchtab:skill/pinchtab received a trust score of 78/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 1 medium, and 1 low severity. Key findings include Arbitrary JavaScript execution via `pinchtab eval`, Risk of data exfiltration/credential harvesting if non-dedicated Chrome profile is used, Default local API access without authentication.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on March 12, 2026 (commit eeaa6306). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary JavaScript execution via `pinchtab eval` The skill explicitly demonstrates the ability to execute arbitrary JavaScript code within the controlled Chrome browser instance via the `pinchtab eval` command. An attacker could craft a prompt to the agent that instructs it to call this command with malicious JavaScript. This JavaScript could then access sensitive information (e.g., cookies, local storage, DOM content), interact with web APIs, or perform other actions within the browser's context, leading to data exfiltration or other client-side attacks. Implement strict input validation and sanitization for any arguments passed to `pinchtab eval` if the agent is expected to generate these arguments from untrusted input. Consider if `eval` is strictly necessary for agent functionality, or if more constrained browser interaction methods could be used. If `eval` is required, ensure the agent's prompts are heavily guarded against injection, and consider a whitelist of allowed JavaScript functions/patterns. | LLM | SKILL.md:100 | |
| MEDIUM | Risk of data exfiltration/credential harvesting if non-dedicated Chrome profile is used The skill explicitly warns that using a Chrome profile with saved logins allows agents to access authenticated sites and that cookies/logins persist. If the user fails to follow the recommendation to use a dedicated, empty browser profile (`BRIDGE_PROFILE`), a compromised agent could be instructed to navigate to sensitive authenticated sites and then exfiltrate data (e.g., by reading DOM content, cookies via `eval`, or submitting forms) to an attacker-controlled endpoint. This is a significant risk if the secure setup is not strictly adhered to. Strongly emphasize the critical importance of using a dedicated, empty browser profile. Consider making this the default behavior or providing a more robust mechanism to enforce it. The agent should be designed to never operate on a user's primary browser profile. | LLM | SKILL.md:20 | |
| LOW | Default local API access without authentication By default, Pinchtab runs on `port 9867` without requiring authentication, although it binds to `localhost` (127.0.0.1). While this limits network exposure to the local machine, any other process running on the same machine could potentially connect to and control the browser instance. If another local process (e.g., a different skill, or malware) is compromised, it could leverage this unauthenticated local API to perform actions within the browser, potentially leading to data exfiltration or other malicious activities. The skill recommends using `BRIDGE_TOKEN` for security, but this is not the default. Consider making `BRIDGE_TOKEN` mandatory even for local connections, or at least strongly recommend it as a default for any agent integration. Alternatively, provide a clear warning that any local process can control the browser if no token is set. | LLM | SKILL.md:60 |
Scan History
Embed Code
[](https://skillshield.io/report/4ca527cdab9c74fc)
Powered by SkillShield