pricewin-hotel-deal-finder
Audited by Socket on Jul 14, 2026
2 alerts found:
AnomalySecuritySUSPICIOUS. The core behavior mostly matches a hotel comparison skill, but it requires transitive installation from a GitHub-hosted skill repo and executes local scraping code with stealth browser automation. Data collection appears limited and no credential harvesting is evident, so this is better classified as medium-risk supply-chain and agent-execution exposure rather than malware.
No explicit evidence of intentionally malicious payload (e.g., credential theft, persistence, or hardcoded exfiltration) is present in this module. However, it implements a high-privilege local browser automation/extraction service: it accepts arbitrary URLs and selector/ref instructions from untrusted HTTP requests, drives automated interactions, and returns extracted DOM content over HTTP. Combined with Chromium launched with '--no-sandbox' and the absence of authorization checks in this file, the security risk is elevated, particularly if an attacker can reach the daemon.