setup-browser-cookies

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill embeds numerous explicit operational directives (telemetry opt-ins/logging, project-file edits and git commits, CLAUDE.md routing injection, brain-sync to remote, config changes, vendoring migration, etc.) that are unrelated to "importing browser cookies" and would change behavior or project state beyond the skill's stated purpose, so this is an out-of-scope/deceptive instruction set.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's setup step conditionally runs curl -fsSL "https://bun.sh/install" to download and then execute the installer script (bash "$tmpfile") at runtime, which fetches and runs remote code.