browser-cloud

SUSPICIOUS: The skill is broadly aligned with its stated browser-cloud purpose and uses apparently official package and service channels, so it is not strongly indicative of malware. However, its footprint is high-impact: stealth browsing, auth persistence, tunnel access to internal URLs, file transfer, and agent-driven web actions create meaningful security risk and require strong user oversight.

This code is a cloud-browser form automation and scraping utility. It does not show direct malicious payload behavior (no obvious backdoor/system compromise), but it can be repurposed to submit arbitrary data to arbitrary URLs and to collect and return/log page text after submission. Combined with stealth/evasion settings and the included pattern of using hardcoded credentials in the example, the security risk is moderate and should be reviewed for safe usage boundaries (input allowlisting, redaction, and log controls) if used beyond controlled testing.

This code is primarily an LLM-integrated cloud browsing/scraping tool. It reads and returns webpage content (and derived signals like presence of login forms) from URLs provided at runtime, authenticating to a third-party browser automation service using environment-based credentials and enabling session video capture. The fragment shows no clear malware/backdoor primitives, but it does present a meaningful security risk from lack of visible URL validation and from returning/surfacing potentially sensitive scraped content and session metadata to an agent and logs. Recommend adding strict URL allowlisting/protocol restrictions, minimizing returned content, and ensuring sensitive outputs are not logged or exposed to untrusted downstream components.

No strong evidence of embedded malware in this fragment. However, it has notable security/abuse risk characteristics: (1) persistent authentication cookie/profile storage on disk (described as plaintext), (2) potential credential exposure/submission if taskUrl is not strictly allowlisted (login form detection triggers credential entry on whatever page is navigated to), and (3) returning scraped authenticated page text to the caller, which can unintentionally leak sensitive content. Additionally, stealth and provider video/console capture increase operational visibility and evasion-related concerns. This code should be used only with strict URL allowlisting and strong controls around profile-file storage and upstream handling of returned page content.