browser-use

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's commands (e.g., browser_fill_form) and examples show embedding credentials/passwords directly in JSON payloads (like "password123"), so an agent using this skill would need to include secret values verbatim in its generated requests/commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflows (e.g., browser_navigate, browser_snapshot, and browser_run_code in SKILL.md) explicitly navigate to and extract content from arbitrary public web pages, meaning untrusted third-party page content can be read and acted on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires running "npx @playwright/mcp@latest --port 8808 --shared-browser-context &", which fetches and executes remote npm package code at runtime (and that MCP server then executes arbitrary code via calls like browser_run_code), so this is a required external fetch that runs remote code.