browser-tools

This browser-tools skill provides legitimate and useful capabilities for agent-driven web automation (navigation, JS evaluation, element picking, cookies inspection, screenshots, and content extraction). However, several features significantly increase security and privacy risk: copying and using a user's Chrome profile (--profile) grants access to cookies and saved sessions; arbitrary JavaScript evaluation in page context can read secrets; and cookie output combined with stdout/temporary files can leak sensitive data to the agent or downstream systems. The npm install step introduces a normal supply-chain risk if dependencies are unpinned. Overall the footprint is coherent with browser automation, but the skill requires strict safeguards (explicit user consent before using profiles, restrict eval to trusted snippets, avoid printing raw cookies, use lockfiles, and document data-handling policies). Treat this as a medium-to-high risk tool in contexts where user credentials or sensitive pages may be accessed and ensure human oversight and least privilege when enabling profile access.