browse

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs extracting browser cookies (document.cookie) and embedding session/CSRF values into a curl command (and more generally copying credentials between contexts), which requires the agent to read and output secret values verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The GitHub URL is a direct download of an unsigned Linux binary from an unfamiliar GitHub release and is paired with instructions to curl/chmod/move-and-run it (high risk for malware/typosquat/unknown publisher), while the internal.example.com link is an internal reports page (not a direct executable) and is lower technical risk though potentially sensitive.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly directs the agent to fetch and scrape arbitrary public URLs (e.g., "WebFetch", "lightpanda fetch --dump ... ", following links, and the MCP interaction pattern in Step 3) and to read and act on that live page content, which exposes the agent to untrusted third‑party content that can influence navigation and tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes one-time setup commands that fetch and install a remote executable used by the skill (e.g., curl -L -o lightpanda https://github.com/lightpanda-io/browser/releases/download/0.2.9/lightpanda-x86_64-linux followed by chmod && mv), which downloads and would execute remote code required for the browsing runtime.