web-browser

This tool provides powerful debugging capabilities by evaluating arbitrary code within a live browser page context via CDP. While useful for debugging, it poses significant security risks if exposed to untrusted input or deployed in insecure environments due to lack of sandboxing, data access within the page, and potential manipulation of page state. No hardcoded secrets are evident, but the core capability should be tightly access-controlled or sandboxed. Improved safety would include input validation, restricted API surface, and a sandboxed evaluation environment.

No direct evidence of overt malware (e.g., external exfiltration, backdoor, or code obfuscation) is present in this snippet. However, the module performs high-impact privacy/security actions: it can copy the user’s real Chrome profile (cookies/logins) into an automation directory and it starts Chrome with remote debugging enabled on a fixed port. The largest remaining supply-chain risk is the unconditional execution of a companion watch.js script whose behavior is not shown; if that script is malicious or compromised, the local DevTools access and copied session data could enable session takeover or other harmful actions.

SUSPICIOUS. The core browsing capability matches the stated purpose, and there is no clear evidence of off-device exfiltration or a malicious installer. However, the optional copying of a real Chrome profile with cookies/logins, combined with CDP control, page action capability, and network logging, creates disproportionate access for a generic browsing skill and raises meaningful session-theft and prompt-injection risk.