ghost-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly asks for sensitive secrets (LinkedIn li_at, Twitter auth_token/ct0, YouTube API key, OpenAI API key) and instructs copying them from DevTools/into .env, which encourages the agent to accept and handle secret values and could lead to those values being included verbatim in outputs or logs.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The GitHub repo is from an unknown user and the skill explicitly instructs running downloaded Python scripts and supplying sensitive session cookies (a high-risk pattern for credential theft or malicious automation), while example.com is benign placeholder — overall this set contains a suspicious download/execute source.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The skill explicitly scrapes and browses arbitrary public websites (e.g., universal_scraper.py, linkedin_scraper.py, twitter_scraper.py, screenshot_tool.py and the "LinkedIn Post Flow" in SKILL.md) and ingests feed/job/post content from untrusted user-generated sources (LinkedIn, Indeed, Twitter) which the agent then reads and uses to drive actions like posting, engaging, applying, or scraping-driven workflows, so third-party content can materially influence behavior.