Is email-daily-summary safe?

The skill uses 'browser-use --browser real' to attach to the user's actual Chrome browser with all active authenticated sessions. This gives the skill full access to any website the user is logged into, including email, banking, social media, and corporate tools. The skill is not limited to email — it can navigate to any URL using the user's authenticated session.

The 'browser-use eval' command executes arbitrary JavaScript on authenticated email pages. This JavaScript runs with full DOM access, can read cookies, session tokens, CSRF tokens, and can make authenticated API requests on behalf of the user. It could silently add email forwarding rules, read any email, download attachments, or modify account settings.

The 'browser-use python' command executes arbitrary Python code with access to a browser automation object. Python has unrestricted filesystem and network access, meaning this can read any local file, make network requests to any server, and interact with any authenticated web page.

The allowed-tools declaration 'Bash(browser-use:*)' grants the agent permission to run ANY browser-use subcommand. This includes eval (JavaScript execution), python (Python execution), open (navigate to any URL), screenshot (capture screen), input (type into forms), click (interact with UI), and extract (send page content to external API). This is far broader than what an email summary tool needs.

The skill extracts full email metadata (sender, subject, snippet, time) from up to 20+ emails per session via JavaScript DOM parsing. The 'browser-use extract' command sends this extracted email content to an external AI API for processing, transmitting private email data to a third-party service.

During the skill installation (clone) phase, filesystem monitoring detected reads of sensitive files including .env (environment secrets), .aws/credentials (AWS access keys), and auth-profiles.json (agent authentication profiles). While this may be due to the host runtime rather than the skill itself, the skill's installation triggered access to credential files.

The skill instructs the agent to install persistent scheduled tasks via crontab (Linux) or launchd plist (macOS) that execute a shell script daily at 9 AM. This establishes persistence — the email harvesting continues running even when the user is not actively using the AI agent, without ongoing consent.

The skill explicitly instructs the agent to handle email login credentials — typing email addresses and passwords into form fields. This normalizes the agent handling raw credentials and could lead to credential exposure in logs, conversation history, or to other skills.

The skill requires installing 'browser-use[cli]' via pip, which downloads and executes code from PyPI. Pip packages can contain arbitrary post-install scripts. The browser-use package itself is a powerful browser automation tool that, once installed, gives the agent complete browser control capabilities.

An email summary tool should only need read access to email content via IMAP/API. Instead, this skill requests full browser automation with JavaScript/Python execution, screenshot capabilities, form interaction, URL navigation, and persistent scheduled execution. The attack surface is orders of magnitude larger than what the stated functionality requires.