browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's example scripts explicitly read and log sensitive values (document.cookie, cookies.map(...)=value, request.headers(), and example plaintext passwords used in authenticate), which would cause the agent to handle and output secrets verbatim — a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md and references/local-browser.md explicitly instruct the agent to navigate to arbitrary URLs (e.g., page.goto(TARGET_URL) / "Discover Page Structure") and to connect to the user's real Chrome via the Playwright MCP Bridge (local browser mode), causing the agent to fetch and parse untrusted third‑party web content which can be used to derive selectors and drive follow-up actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (low risk: 0.30). The skill does not ask for sudo, user creation, or edits to system files, but it does instruct running Chromium with --no-sandbox/--disable-setuid-sandbox and includes helpers to connect to the local browser and extract auth state (cookies/IndexedDB), which weaken security and can expose sensitive state — so it’s a low-to-moderate risk but not a direct request to modify OS-level configuration.