browse

No clear evidence of malware (no remote exfiltration, cryptomining, reverse shells, or filesystem damage). However, the code has meaningful high-impact security behaviors: it spawns a local external CLI with environment propagation (potential secret exposure), it can be directed to spawn an alternate binary via BROWSE_TERMINAL_BINARY, and it forwards arbitrary authenticated WebSocket bytes directly into the terminal of the spawned process. It also persists browser tab metadata (URLs/titles/etc.) to disk, which is sensitive. Overall, this is more of a powerful local integration component than overtly malicious code, but it should be carefully permissioned and environment-controlled.

SUSPICIOUS: the browsing and QA capabilities are legitimate, and the Bun installer evidence points to same-project/official provenance rather than an obvious malicious payload. But the skill’s actual footprint is materially broader than browser QA: it runs many opaque local gstack binaries, includes opt-in telemetry and remote GBrain sync, can modify/commit repo files, and exposes transitive trust via nested browser-skills. This looks more like a full gstack platform bootstrap wrapped around a browse tool than a narrowly scoped browser skill.

This module is not performing technical exfiltration by itself (no JavaScript/network actions), but it embeds multiple high-risk social-engineering and instruction-injection payloads—including hidden credential-exfiltration instructions and malicious aria-label directives referencing external attacker-controlled domains. Treat the page as hostile content suitable for prompt-injection/credential-theft risk during rendering or automated consumption; review/sanitize untrusted HTML and neutralize or remove embedded external instructions.

Overall, this module is a high-sensitivity local orchestration CLI: it persists credential-like setup material to disk, controls a local server over localhost using bearer tokens, and dynamically spawns a companion terminal-agent from a filesystem-resolved path, while also performing aggressive process cleanup/killing. No direct evidence of overt malware behavior (external exfiltration, reverse shells, cryptomining, or remote C2) is present in this fragment, but the dynamic agent execution and untrusted command/argument forwarding create meaningful supply-chain and trust-boundary risk if local state/files or command handling downstream are compromised.