bb-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly shows filling password fields with plaintext via commands like bb-browser fill @3 "password", which requires the agent to accept and embed secret values verbatim (exfiltration risk).

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill explicitly enables automated access to public and private pages by reusing a user's logged-in browser session and supports arbitrary JavaScript eval and DOM extraction, which are powerful, deliberate capabilities that enable credential/token theft and data exfiltration and therefore pose a high abuse risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). bb-browser explicitly opens arbitrary public webpages and logged-in pages (e.g., "bb-browser open "), extracts and reads their content via snapshot and eval (e.g., bb-browser eval "document.body.innerText", WeChat/Zhihu examples), and uses that content to decide and drive subsequent clicks/fills, so untrusted third‑party pages can indirectly inject instructions.