chrome-devtools

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds an explicit plaintext credential ("Password: secret") and shows VNC connection details, which requires the agent to handle and potentially output that secret verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill exposes an unauthenticated, network-accessible REST API that permits arbitrary browser control (including execution of arbitrary JavaScript via eval in page context), captures network/console data (including headers and page content), and ships container settings that reduce isolation (cap_add: SYS_ADMIN) plus a hardcoded VNC password — a combination that enables remote data exfiltration, credential theft, and container breakout if exposed.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's CDP API and scripts explicitly navigate to and fetch arbitrary public URLs (see cdp-api-server.js endpoints like /navigate and /content and the SKILL.md usage scripts such as scripts/navigate.rb and network_capture.rb), so the agent ingests untrusted third-party web content that can influence subsequent actions.