Virtual Desktop — Universal Browser Execution

Claiming a persistent Playwright-based browser fits the stated capability and required binaries (python3, playwright). However, declaring PLATFORM_EMAIL and PLATFORM_PASSWORD as required top-level env vars is odd: the code and docs say per-platform env var names will be passed in at runtime, so requiring generic PLATFORM_* at install/registration is inconsistent and could coerce users into supplying broad credentials unnecessarily.

SKILL.md instructs the agent to create a browser_control.py file in /workspace/skills via a heredoc, read and write many workspace files (sessions, audit, logs, .learnings), and to persist session JSONs containing auth tokens. Metadata also states that screenshots and action confirmations will be sent over the agent's existing Telegram channel. Those behaviors (writing executable code at runtime, persistent session storage, automated screenshot posting) expand the scope well beyond a simple 'navigation helper' and could leak sensitive data if not tightly controlled.

There is no formal install spec (instruction-only), which reduces supply-chain risk, but the SKILL.md explicitly writes Python code into the container at setup time (cat heredoc → /workspace/skills/virtual-desktop/browser_control.py). That gives the skill persistent code on disk and effectively performs an installation step via instructions—review the generated code before executing it.

The skill requires PLATFORM_EMAIL and PLATFORM_PASSWORD at registration and marks PLATFORM_EMAIL as primaryEnv, yet the documentation claims it will only read env vars when explicitly asked. The required read paths include user files (/workspace/USER.md, /workspace/TOOLS.md) which may contain PII/credentials. Metadata allows outbound requests to https://*.* (very broad) and automatic sending of screenshots via Telegram—both increase exfiltration risk and are not narrowly scoped to specific target services.

The skill persists session tokens, logs, screenshots, and writes the browser_control.py helper into workspace directories so state survives across runs. While always:false (not force-included), these persistent artifacts combined with broad network behavior and automated Telegram posting raise the risk profile: stored tokens and screenshots could be exfiltrated if the agent or skill is misused.