browser-cdp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and workflows show filling form fields with literal username/password strings (e.g., setting document.querySelector('#password').value = 'mypass'), which instructs the agent to embed secrets verbatim in commands/requests, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code intentionally exposes an unauthenticated HTTP proxy that accepts arbitrary CDP/JavaScript commands (via /eval and other endpoints), can install extensions and control a real browser, and — if misconfigured to bind beyond localhost or tunneled — can be used for credential theft, data exfiltration, and remote control of a user's browsing session.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's SKILL.md explicitly instructs the agent to navigate to arbitrary URLs (GET /navigate) and execute /eval to extract page text/links (e.g., "document.body.innerText", JSON.stringify([...document.querySelectorAll('a')]) and examples like chromewebstore.google.com), so it fetches and interprets untrusted public web content and can perform actions (click/install) based on that content.