Agent Browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes commands that embed plaintext secrets (e.g., fill @e2 "password123", set credentials user pass, set headers '{"X-Key":"v"}' and saving/loading auth.json), so an agent following it would likely need to output secret values verbatim, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly lets the agent "open " to navigate arbitrary public websites and then "snapshot -i" / "get text" / "get html" / "eval" to read and act on page content (e.g., core workflow and examples), so untrusted third‑party webpages can be ingested and drive subsequent actions.