PinchTab

Security checks across malware telemetry and agentic risk

Overview

PinchTab appears to be a legitimate browser automation plugin, but it needs Review because it documents anti-bot challenge solving and exposes powerful authenticated-browser controls that require strict user control.

Install only if you intentionally need agent browser control and can run PinchTab in a tightly controlled setup. Use localhost or a trusted server with a token, set allowedDomains, keep evaluate/download/upload disabled unless needed, avoid personal browser profiles, and require explicit approval for account-changing actions, authenticated downloads, network exports, and any challenge-solving or anti-bot workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This section explicitly recommends using a CAPTCHA/Cloudflare solving endpoint to bypass anti-bot protections, even though the file is framed as an optimization playbook rather than a narrowly scoped, authorized testing guide. That makes the capability risky because it enables evasion of access controls and anti-automation defenses, which can facilitate unauthorized scraping or account abuse if used outside a clearly permitted context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manifest advertises a single browser-control tool that can navigate, interact with pages, take snapshots/screenshots, execute evaluate actions, and handle PDFs, but it does not define clear trigger constraints, scope limits, or user-consent boundaries in the manifest itself. Because the plugin also activates on startup, this broad capability surface increases the chance of unintended or overly permissive use by an agent, especially in environments where tool invocation policy is inferred from descriptions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This manifest exposes highly capable browser automation primitives, including page interaction, screenshots, snapshots, potential file transfer, and optional JavaScript evaluation, without visible user-facing warnings about privacy, credential exposure, data capture, or system-side effects. Although some dangerous options default to false, the overall tool remains powerful and startup-enabled, so weak disclosure can lead to users or orchestrators underestimating the risk of data exfiltration, account misuse, or execution of unsafe browser actions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The re-authentication guidance tells the operator to navigate to a login page and fill credentials, but it provides no safeguards for handling secrets, no warning about least-privilege use, and no instruction to avoid logging or exposing credentials in command history. In an agent context, that omission increases the chance that sensitive authentication data will be mishandled, stored insecurely, or entered into an unverified page.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The documentation exposes built-in challenge-solving and CAPTCHA/interstitial bypass capabilities with operational guidance but without requiring proof of user authorization, allowed-use boundaries, or anti-abuse controls. In an agent skill context, this materially enables automated circumvention of access controls and bot-detection systems, which can be used for unauthorized scraping, account abuse, or evasion of site protections.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The example directs an active persisted browser profile to mail.google.com and then snapshots the page, which can capture sensitive account contents, tokens, or personal data from a real logged-in session. In an agent skill context, this is more dangerous because profiles are intentionally reused across human and agent activity, increasing the chance that automation operates on a privileged personal account without explicit warning or consent boundaries.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Returns base64 JSON by default (uses browser session/cookies/stealth) curl "/download?url=https://site.com/report.pdf" # Raw bytes (pipe to file) curl "/download?url=https://site.com/image.jpg&raw=true" -o image.jpg
Confidence: 88% confidence
Finding: curl "/download?url=https://site.com/report.pdf" # Raw bytes (pipe to file) curl "/download?url=https://site.com/image.jpg&raw=true" -o image.jpg # Save directly to disk in a safe temp location curl

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # Export as HAR 1.2 (stream to response) curl /network/export?format=har # Export as NDJSON (one JSON per line) curl /network/export?format=ndjson
Confidence: 95% confidence
Finding: curl /network/export?format=har # Export as NDJSON (one JSON per line) curl /network/export?format=ndjson # Save to server-side file curl "/network/export?format=har&output=file&path=session.har" #

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal