agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples and API require supplying raw "text" fields (e.g., password, proxy_password) inline in CLI/JSON commands, which would force an LLM to embed secret values verbatim in generated commands/requests, creating exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The set includes a direct-install shell script (curl https://cli.inference.sh | sh) and self-hosted binary distribution URLs (dist.inference.sh, cli.inference.sh, cloud.inference.sh) which are common malware distribution vectors unless the publisher is verified and checksums/signatures are independently validated, while the remaining links (google/example/proxy) are benign or neutral.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's open/goto functions accept arbitrary URLs and its templates and functions (e.g., capture-workflow.sh, snapshot/execute returning elements_text and document.body.innerText, and the "open" examples) fetch and extract page text/links/screenshots from public websites, so the agent will read untrusted third‑party web content.