agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and interact commands show filling passwords and proxy credentials by placing plaintext secret values into CLI JSON inputs (e.g., "text":"password123", "proxy_password":"pass"), which would require the LLM to include secrets verbatim in generated commands/outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly opens arbitrary public URLs (see SKILL.md "open" function and templates such as templates/capture-workflow.sh), returns page snapshots/elements_text and executes document.body.innerText (references/commands.md and snapshot-refs.md), and the agent is expected to read those results and choose subsequent interact/execute actions—so untrusted, user-generated web content can materially influence agent behavior.