real-browser

The skill is purpose-consistent: it launches a real logged-in Chrome and delegates browser automation to a same-org companion skill. It is not overtly malicious, but it is high-impact because it uses cloned login state, broad browser automation, and transitive skill trust; overall this is best classified as suspicious/high-risk automation rather than malware.

Legitimate tooling: The script is a convenience tool to clone a user's Chrome profile and launch a separate Chrome instance exposing Chrome DevTools Protocol for automation. It does not contain code that exfiltrates data or spawns remote shells. However, it intentionally copies sensitive authentication data (cookies, login databases, localStorage, indexedDB, etc.) into a new profile and exposes that profile to local CDP clients. This design creates a high-sensitivity capability: any local process able to reach http://127.0.0.1:${PORT} (or the agent-browser tool invoked) can access and extract the user's session tokens and other secrets via CDP. Therefore the script is safe in trusted, single-user environments when used as intended, but it is potentially dangerous if run in untrusted contexts or bundled into code that executes it without user consent. I do not classify it as malware, but it presents a meaningful privacy/security risk due to cloning and exposing login state.