chrome-devtools

[Skill Scanner] Instruction to copy/paste content into terminal detected This skill's functionality is consistent with its stated purpose (browser automation via DevTools). I find no direct evidence of embedded malware in the provided documentation. However there are notable supply-chain and data-exposure risks: the examples repeatedly perform runtime installs of an unpinned package (bunx -y ...@latest) and execute it immediately, and the skill can access full browser content (cookies, localStorage, authenticated pages) and execute arbitrary JS — which could be used to harvest credentials or exfiltrate data if the remote package is malicious or becomes compromised. Recommendation: treat this as 'suspicious/vulnerable' rather than confirmed malware. Require pinned releases with checksums, audit the remote package code before use, and avoid running it against privileged or sensitive browser profiles. LLM verification: The skill documentation legitimately describes a DevTools automation capability and its capabilities align with its purpose. There is no direct evidence in this text of embedded malware or obfuscated malicious code. However, multiple supply-chain risk patterns are present: unpinned dependency installs (go install @latest, bunx -y chrome-devtools-mcp@latest), copy-paste download-and-execute pipelines, and instructions that give the tool full access to browser content. Those patterns create plausi