browser-probe
Audited by Socket on Jul 7, 2026
4 alerts found:
SecurityAnomalyx3SUSPICIOUS: the install trust is mostly coherent and official, but the skill’s primary purpose is to help an AI agent evade website bot protections using stealth, fingerprint workarounds, and persistent sessions. That offensive bypass capability is high-risk and disproportionate to ordinary web automation, even without clear credential theft or malware behavior.
This module is best characterized as an automated website probing/reconnaissance utility using Playwright to detect and classify CDN/WAF/bot-challenge outcomes. It includes explicit bot-evasion features (stealth-init.js and user-agent override) and executes a fixed page-context JavaScript snippet to extract health signals. No clear malware behavior (e.g., credential theft, command-and-control, persistence, or exfiltration) is evident in the provided fragment; the main security concern is contextual—its evasion-oriented design and reliance on an external, unseen stealth-init.js file.
No classic malware behavior is evident in the shown snippet; it does not perform data theft, persistence, or network exfiltration. However, the fragment is explicitly intended to evade headless and CDN/WAF bot detection by spoofing browser-identifying properties (navigator.webdriver/plugins/languages and window.chrome) and by adjusting HTTP User-Agent (and optionally other headers). As a supply-chain dependency, this constitutes a meaningful security-control bypass/abuse-enablement risk, even if not outright malicious malware.
This module is a browser fingerprint/automation-evasion snippet: it alters navigator.webdriver, navigator.plugins, and navigator.languages and stubs window.chrome.runtime to make automated/headless environments appear more like a real Chrome browser. While there is no direct malicious payload (e.g., data theft or command execution) in this fragment, its intent is clearly evasive and could be used to bypass security controls in automated browsing contexts. Additional code outside this fragment would be needed to confirm whether it supports broader malicious activity.