agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples and API require supplying raw "text" fields (e.g., password, proxy_password) inline in CLI/JSON commands, which would force an LLM to embed secret values verbatim in generated commands/requests, creating exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most links are documentation/pages or an image, but the presence of a remote install script (curl | sh to cli.inference.sh), platform binaries hosted under dist.inference.sh, and an HTTP proxy endpoint are common vectors for delivering malicious executables if the domain or artifacts are untrusted, so the set should be treated as moderately high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly navigates to arbitrary URLs and scrapes page content (via open/snapshot/execute in SKILL.md and references/commands.md) and the provided templates (templates/capture-workflow.sh, templates/form-automation.sh) extract elements_text and document.body.innerText from public websites, which the agent is expected to read and act on—exposing it to untrusted third-party content that could inject instructions.