e2e-agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt includes examples that embed plaintext credentials (e.g., agent-browser fill @e2 "password123") and commands that read runtime tokens (agent-browser eval "window.localStorage.getItem('token')"), which would require an LLM to handle or could output secret values verbatim, posing exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow repeatedly instructs the agent to open arbitrary web pages (e.g., "agent-browser open https://myapp.com" and "agent-browser open https://example.com") and then take snapshots, eval JS, wait for text, and act on parsed page refs (JSON mode, snapshot -i, eval), so the agent clearly fetches and interprets untrusted public web content as part of its runtime actions.