browserforce

This skill's stated purpose (control the user's real Chrome) matches the documented capabilities. However, the capability set (arbitrary one-shot Playwright JS executed in the user's real, logged-in browser; access to all cookies and extensions; unrestricted network access via the browser) is extremely powerful and easily abused for data exfiltration or unauthorized actions. There is no documented restriction preventing the agent from reading sensitive page content, localStorage, or cookies and then sending that data to attacker-controlled endpoints. I classify this skill as SUSPICIOUS / HIGH RISK for supply-chain and data-exfiltration threats: it is not provably malicious by itself (no embedded exploit payloads), but its design permits straightforward credential harvesting and exfiltration when misused. Recommended mitigations: require strict allowlists for domains the agent may access, require user confirmation for any -e execution that reads cookies/localStorage or performs network requests, avoid wildcard allowed-tools, and add pinned versions and transparency about the relay/extension endpoints.