agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes multiple examples that pass passwords, tokens, and session state in plaintext (e.g., fill "password123", card numbers, state files containing session tokens) and shows CLI commands that embed secrets directly, so an LLM following these examples may be required to handle or emit secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Although many URLs are benign placeholders or official sites (example.com, github.com, app.example.com), the list includes an explicit malicious domain (https://malicious.com), unclear third‑party hosts (site-a.com, site-b.com), and direct-install instructions/links for binaries (agent-browser downloading Chrome, Lightpanda installation) — together creating a non‑negligible risk of distributing untrusted executables.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly opens and ingests arbitrary public web pages (e.g., "agent-browser open ", "agent-browser snapshot -i", "agent-browser get text body" in SKILL.md and templates/capture-workflow.sh), and uses that untrusted page content (refs/text) to drive actions like clicks/fills, so third‑party pages can materially influence agent behavior and enable indirect prompt injection.