agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt contains multiple examples that embed plaintext credentials or session tokens directly into commands and state files (e.g., fill "password123", saving/using state files with plaintext tokens, piping echo "pass"), which would require an LLM to emit secret values verbatim and thus creates an exfiltration risk despite also offering safer alternatives.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs the agent to navigate and scrape arbitrary public websites (e.g., "agent-browser open " and snapshot/get text in SKILL.md and templates like templates/capture-workflow.sh) and to parse/act on that page-derived content (refs, get text, snapshot) which clearly exposes it to untrusted third-party content that can influence subsequent actions.