browser-use

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's commands (e.g., browser_fill_form) and examples show embedding credentials/passwords directly in JSON payloads (like "password123"), so an agent using this skill would need to include secret values verbatim in its generated requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly supports navigating to arbitrary URLs and extracting/interpreting page content (see SKILL.md navigation examples, the "Data Extraction" workflow using browser_navigate and browser_snapshot/browser_evaluate, and the browser_navigate tool in references/playwright-tools.md), so it ingests untrusted public web content that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime instructions start the MCP server by invoking remote npm packages (e.g., "npx @playwright/mcp@latest" in scripts/start-server.sh and the suggested stdio command "npx -y @modelcontextprotocol/server-github" in mcp-client.py), which fetch and execute remote code at runtime and are required to run the skill.