agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's CLI examples (e.g., cloudrouter browser fill ... "password123", cookies-set name value, state-save/state-load paths) instruct embedding credentials and cookie values directly in commands, which requires the LLM to include secret values verbatim in its output and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly opens and scrapes arbitrary public URLs via commands like "cloudrouter browser open " and then uses snapshot/get-text/get-html/eval and data-extraction workflows to read page content, which exposes the agent to untrusted third-party (public web/user-generated) content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt includes an explicit troubleshooting instruction to run a sudo command (sudo chown -R 1000:1000 /home/user/.npm) via SSH, which directs modifying filesystem ownership with elevated privileges and thus risks changing the machine state.