agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that directly embed plaintext passwords/API secrets in CLI commands (e.g., agent-browser fill "password123", echo "pass" | agent-browser ...), so an LLM using the skill could be required to output secret values verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most URLs are benign or test domains (example.com, GitHub login, localhost, app/staging/prod subdomains), but the list includes an explicit malicious domain (malicious.com) and other untrusted/unknown sites (site-a.com, site-b.com); although there are no direct executable file links, being told to download/execute from unverified domains is potentially dangerous.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to arbitrary URLs and ingests page content (e.g., SKILL.md and references/commands.md describe agent-browser open and snapshot/get text, and templates/capture-workflow.sh and form-automation.sh demonstrate opening public sites and extracting/interpreting page text/refs), so the agent will read and act on untrusted third‑party web content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill performs runtime navigation and snapshots of arbitrary external pages (e.g., https://github.com/login) and returns page content into the agent context, which can directly influence agent prompts/instructions and thus constitutes a high-confidence runtime risk.