agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit examples and command forms that embed plaintext secrets and tokens into CLI arguments (e.g., fill "password123", CDP websocket URLs with ?token=..., and curl-like auth patterns), which would require the LLM to emit secret values verbatim and risk exfiltration.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). These URLs include an explicit malicious domain, several untrusted/third‑party domains (and a raw GitHub content URL used for automatic update checks), plus localhost and staging/prod endpoints that could be abused to serve arbitrary binaries — together these are high risk if the skill downloads or executes files from them.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's mandatory workflow in SKILL.md requires navigating arbitrary URLs and extracting page content (e.g., "agent-browser open ", "agent-browser snapshot -i", "agent-browser get text body") which clearly fetches and ingests untrusted public web pages whose content is used to drive subsequent interactions and decisions.