browser-tools

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill exposes and returns browser cookies and can load a user's profile (including session cookies and logins), which requires the agent to read and potentially output secret/session values verbatim, posing an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The package exposes powerful capabilities that enable arbitrary JavaScript execution in any open page (browser-eval.js), local copying/reading of the user's Chrome profile (browser-start.js --profile), and dumping of cookies (browser-cookies.js) — these are legitimate for automation but are high-risk patterns because they directly enable credential access and make it trivial to craft exfiltration (e.g., via evaluated code that issues network requests), even though the repo itself does not include a hard-coded external exfiltration endpoint.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill intentionally navigates to and extracts content from arbitrary public websites — e.g., browser-content.js accepts a user-supplied URL and converts the page to markdown, browser-nav.js opens arbitrary URLs, and browser-hn-scraper.js scrapes Hacker News — so the agent will read and interpret untrusted, user-generated web content that could enable indirect prompt injection.