web-browser

This module primarily orchestrates local browser automation by launching/reusing Chrome with DevTools remote debugging enabled and optionally copying the user’s Chrome profile into a local cache directory. The strongest security concern is privacy/high-impact data handling (cloning cookies/logins) combined with enabling a powerful debugging interface on a fixed localhost port. No explicit outbound exfiltration or overt malware behavior is evidenced in the shown fragment, but the spawned watch.js script is the key unknown where sensitive data harvesting or further actions could occur. Overall: elevated security/privacy risk that warrants inspection of watch.js and runtime monitoring of file/DevTools access and any network activity.

This tool provides powerful debugging capabilities by evaluating arbitrary code within a live browser page context via CDP. While useful for debugging, it poses significant security risks if exposed to untrusted input or deployed in insecure environments due to lack of sandboxing, data access within the page, and potential manipulation of page state. No hardcoded secrets are evident, but the core capability should be tightly access-controlled or sandboxed. Improved safety would include input validation, restricted API surface, and a sandboxed evaluation environment.

SUSPICIOUS. The stated purpose matches browser automation via Chrome CDP, but the skill grants broad authenticated browsing capability through profile copying and persistent page/network logging. The main concern is trust and scope: local scripts are unverifiable from the provided text, yet they can access cookies/logins and interact with arbitrary sites. No direct external exfiltration is shown, so this is not confirmed malware, but it is a high-risk browser-control skill.