chrome-devtools

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples (e.g., fill {"uid":"#password","value":"pass"}) and workflows instruct generating commands that embed plaintext credentials into mcp commands/shell pipelines, meaning the LLM would need to include secret values verbatim in its output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to load arbitrary public URLs (e.g., navigate_page {"url":"https://example.com"} in Quick Start/Usage) and to take_snapshot/list_console_messages/evaluate_script which ingest and return page content, so untrusted third-party webpage content can be read and directly influence follow-up actions like fill/click/evaluate_script.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly installs and runs remote packages at runtime—e.g., "bunx -y chrome-devtools-mcp@latest" and "go install github.com/f/mcptools/cmd/mcptools@latest"—so these external packages/URLs are fetched and executed and thus control runtime behavior.