bux-claude-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). This skill explicitly instructs the agent to run installation and configuration commands that require API keys and bot tokens to be provided inline (e.g., BROWSER_USE_API_KEY=bu_xxx, TG_BOT_TOKEN) and to wire them into services, which means the agent would need to handle and potentially emit secret values verbatim in commands or files, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). While several links (GitHub, Telegram API, Hacker News, t.me) are legitimate, this bundle directs you to curl|bash a raw GitHub install.sh and to use custom domains (browser-use.com / cloud.browser-use.com) — a common high-risk distribution vector because a remotely fetched script run as root can deliver arbitrary malware even if the project appears legitimate.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs a persistent Chromium browser and instructs Claude to browse arbitrary public websites (e.g., "Visit https://news.ycombinator.com" in the examples and Telegram-driven tasks shown in the "Using Your Agent via Telegram" and "Send one-off tasks programmatically" sections), so it ingests untrusted third‑party web content that the agent reads and can act on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's one-line installer fetches and executes remote code at runtime via curl -fsSL https://raw.githubusercontent.com/browser-use/bux/main/install.sh | sudo ... bash (and related raw.githubusercontent.com / github.com repo fetches), which directly runs external code and is required for installation.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). This skill explicitly instructs the agent to SSH into a host and run an install script with sudo, create/enable systemd services, manage users/cron/fstab, and otherwise modify system files and persistent state (e.g. /home/bux), all of which are privileged operations that change the machine state.