agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes many examples and commands that embed secrets verbatim (e.g., fill with "password123", proxy URLs with user:pass, set credentials user pass, cookies set name value), which instructs the agent to output or reproduce plaintext credentials directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to arbitrary URLs and ingests page content (e.g., SKILL.md's "agent-browser open ", snapshot/get text commands and the templates like templates/capture-workflow.sh which call agent-browser open $TARGET_URL and agent-browser get text body), so the agent will fetch and interpret untrusted public web content as part of its workflow.