chrome-automation

This module is a GUI/accessibility automation utility for Chrome/Chromium: it locates the browser in the AT-SPI tree, finds UI elements, performs click/activation actions, injects keystrokes/typed text via xdotool, can navigate by typing URLs, and can capture screenshots via scrot. While there is no explicit evidence of malware, C2, or credential theft in this fragment, its capabilities (keystroke injection, UI manipulation, and screen capture with user-influenced output paths) are potentially privacy-invasive and abuse-prone. Main review focus should be on packaging/distribution intent and operational controls (who can run it, required permissions, and restrictions on screenshot path and input targets).

No explicit malware behavior (e.g., clear exfiltration, reverse shells, destructive actions) is visible in this fragment. However, the setup introduces substantial security risk through a hardcoded predictable VNC password and the use of eval on dbus-launch output in the generated xstartup script. Additionally, it deploys and symlinks multiple executable helper components into /usr/local/bin as part of the same installation flow, so the security of the overall package depends heavily on those companion scripts’ integrity. Treat this as a high-exposure remote-access automation installer that requires credential hardening and careful review of the referenced helper scripts.

No explicit evidence of intentional malware is present in the provided description, but the deployment design shows significant security risks: a disclosed/default VNC credential, exposure via VNC/noVNC remote GUI surfaces, and Chrome launched with --no-sandbox plus forced renderer accessibility. Because the actual implementation files are not included, potential additional malicious behaviors cannot be ruled out; treat this as high-risk for unauthorized access and browser/renderer compromise until the real scripts (setup/start-chrome-automation/chrome-a11y/chrome-monitor/stop) are reviewed and network/auth controls are verified.

SUSPICIOUS: The skill’s purpose matches browser automation, but its footprint includes a high-risk browser configuration and dependence on an unverifiable chrome-a11y controller. Data flow is mostly local-to-browser and not overtly exfiltrative, yet the combination of arbitrary web interaction, UI control, and disabled sandboxing makes the skill high risk.