opencli-web-automation

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill explicitly reuses logged-in Chrome sessions and provides patterns to extract cookies/tokens (localStorage/sessionStorage), saves discovered auth artifacts, and dynamically loads/runs user-supplied TypeScript adapters—together these design choices enable credential theft, data exfiltration, and arbitrary code execution if adapters or the setup/distribution step are abused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md explicitly shows the agent exploring and scraping public, user-generated websites (e.g., "opencli explore https://example.com", built-in commands like "opencli reddit frontpage", "opencli twitter trending", and DOM-scraping examples such as navigating to "https://news.ycombinator.com" and evaluating page content), meaning it ingests untrusted third‑party content that can influence subsequent tool actions (adapter synthesis, API probing, and command behavior).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's MCP client is invoked via npx which will fetch and execute the remote package @playwright/mcp@latest at runtime (see the mcp client config invoking npx "@playwright/mcp@latest"), and the skill also requires the Playwright MCP Bridge Chrome extension (https://chromewebstore.google.com/detail/playwright-mcp-bridge/mmlmfjhmonkocbjadbfplnigmagldckm), so remote code is fetched/executed and is a required runtime dependency.