browser

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill documentation exposes multiple deliberate features that enable sensitive data access and extraction (cookies, history, localStorage, network captures including headers/bodies and preserved auth tokens), plus mechanisms to run arbitrary code/commands via execute-in-page and terminal profile spawning—these are explicit design choices that can be used to exfiltrate credentials and achieve remote code execution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflows and tool docs (e.g., references/core-tools.md and references/advanced-tools.md) explicitly open and inspect public web pages and resources—using tools like tabz_open_url (allowed public domains list), tabz_get_dom_tree, tabz_execute_script, tabz_save_page, and tabz_download_image—so the agent fetches and interprets untrusted, user-facing web content that can drive clicks, form fills, downloads, and other actions.