agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's CLI examples (e.g., cloudrouter browser fill ... "password123", cookies-set name value, state-save/state-load paths) instruct embedding credentials and cookie values directly in commands, which requires the LLM to include secret values verbatim in its output and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's core workflow and command set explicitly navigate to arbitrary URLs (cloudrouter browser open in SKILL.md) and then snapshot/get-text/eval/click to read and act on page content, meaning untrusted public web pages can directly influence the agent's actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt includes an explicit troubleshooting instruction to run a sudo command (sudo chown -R 1000:1000 /home/user/.npm) via SSH, which directs modifying filesystem ownership with elevated privileges and thus risks changing the machine state.