Browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly captures and reports full network requests and headers (and console/network output) by default, which can contain bearer tokens, cookies, or API keys and thus forces the model to expose secret values verbatim in its outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The package runs a persistent local HTTP server that captures console and network logs (including request headers), exposes control endpoints like /evaluate and /navigate, and returns all responses with Access-Control-Allow-Origin: *, which allows remote websites to issue cross-origin requests to that localhost service and thereby remotely execute page scripts and exfiltrate sensitive request/response data (including headers/cookies/tokens) — a high-risk backdoor / data-exfiltration vulnerability.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill/browser CLI clearly navigates to and ingests arbitrary public URLs (e.g., Tools/Browse.ts primary command "bun run Browse.ts " and BrowserSession.ts POST /navigate) and exposes page content via methods like getVisibleText/getVisibleHtml/evaluate, so it will read untrusted third-party web (user-provided) content that could carry indirect prompt injection.