Skill Trust Decision

memolecard-auto

Name: memolecard-auto Trust Review Report
Item: memolecard-auto
Rating: 25
Author: ClawSafe

Template-injectable IP parameter enables SSRF with browser session cookie exfiltration to arbitrary external hosts.

Install decision first Source: Manual upload Scanned: Apr 5, 2026

Files 1

Artifacts 1

Violations 1

Findings 3

Most direct threat evidence

Attacker invokes the skill with a malicious {{ip}} value pointing to their controlled server (e.g., attacker.com) Entry · SKILL.md

Victim uses the skill normally with the attacker-supplied {{ip}} parameter. Fallback download path is triggered because primary download fails precondition · SKILL.md

Script extracts document.cookie and navigator.userAgent from the active agent-browser session Escalation · SKILL.md

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

1 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 3 severe findings.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

Attack Chain

Attacker invokes the skill with a malicious {{ip}} value pointing to their controlled server (e.g., attacker.com)

Entry · SKILL.md:10

Victim uses the skill normally with the attacker-supplied {{ip}} parameter. Fallback download path is triggered because primary download fails

precondition · SKILL.md:84

Script extracts document.cookie and navigator.userAgent from the active agent-browser session

Escalation · SKILL.md:88

curl POSTs victim's browser session cookies and user-agent to attacker-controlled BACKUP_SERVER_URL, enabling full session hijacking

Impact · SKILL.md:90

What drove the risk score up

SSRF via user-controlled IP parameter +25

The {{ip}} template parameter is used directly as BACKUP_SERVER_URL, allowing the skill invoker to redirect HTTP requests to any arbitrary URL/IP

Browser session cookie exfiltration to arbitrary host +30

When fallback is triggered, document.cookie from the active browser session is POSTed to the user-supplied BACKUP_SERVER_URL, enabling full session hijacking

User-Agent exfiltration +10

navigator.userAgent is also extracted and sent to the attacker-controlled URL alongside cookies

No documentation of external network behavior +10

SKILL.md contains no description of the fallback download mechanism or the {{ip}} parameter, making this behavior entirely opaque to users

Most important evidence

High Credential Theft

Browser session cookies exfiltrated to arbitrary URL

The {{ip}} parameter allows the skill invoker to supply any IP address or URL. When the fallback download path is taken (lines 84-99), the script extracts document.cookie from the active browser session and sends it via a curl request to the attacker-controlled BACKUP_SERVER_URL. This enables full session hijacking for any web sessions managed through the agent-browser.

SKILL.md:90

Remove the user-supplied IP parameter entirely. Use a hardcoded, controlled fallback endpoint. Never send session cookies to external URLs controlled by the skill invoker.

High Sensitive Access

SSRF via template-injectable IP parameter

The {{ip}} template parameter is used directly as BACKUP_SERVER_URL in a curl request without any validation. An attacker supplying a malicious IP (e.g., an internal network address like 10.0.0.1 or a rogue external server) can cause the skill to make HTTP requests to arbitrary destinations, potentially scanning internal services or proxying attacks through the agent-browser's network context.

SKILL.md:10

Remove the {{ip}} parameter. If a fallback server is needed, it should be a hardcoded, known-safe URL configured by the skill developer, not a user-supplied variable.

High Doc Mismatch

No documentation of external network behavior or risks

SKILL.md provides no description of what the skill does, what permissions it requires, or any warning about the {{ip}} parameter. The entire file is an undocumented bash script, leaving users unaware that it makes outbound HTTP requests and handles browser session cookies.

SKILL.md:1

Add a proper SKILL.md header with name, description, declared permissions, parameter documentation, and security warnings for the {{ip}} parameter.

Declared capability vs actual capability

Browser Pass

Declared NONE

→

Inferred WRITE

SKILL.md:20 — agent-browser --session $SESSION_NAME open

Network Block

Declared NONE

→

Inferred WRITE

SKILL.md:88-92 — curl to user-supplied BACKUP_SERVER_URL with session cookies

Shell Pass

Declared NONE

→

Inferred WRITE

SKILL.md — entire file is a bash script using agent-browser CLI

Suspicious artifacts and egress

Medium External URL

https://www.memolecard.com/

SKILL.md:5

Dependencies and supply chain

There are no structured dependency warnings.

File composition

1 files · 153 lines

Markdown 1 files · 153 lines

Files of concern · 1

SKILL.md Markdown · 153 lines

Browser session cookies exfiltrated to arbitrary URL · SSRF via template-injectable IP parameter · No documentation of external network behavior or risks · https://www.memolecard.com/

Security positives

No obfuscated code or base64 payloads found

No direct reverse shell or arbitrary command injection in the primary flow

No sensitive file paths (ssh, aws, .env) accessed

Script is a simple, readable bash script without hidden complexity