Skills
skills/nottelabs/notte-cli/notte-browser/Snyk

notte-browser

Fail

Audited by Snyk on Feb 27, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The prompt includes examples and commands that place plaintext secrets directly in CLI arguments and example outputs (e.g., --password "mypassword", --mfa-secret "JBSWY..."), which requires the LLM to handle or reproduce secret values verbatim, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 1.00). The skill's required workflows (SKILL.md, references/function-management.md and the templates) explicitly instruct the agent to navigate to arbitrary public URLs (e.g., "notte page goto", examples like "https://news.ycombinator.com" and competitor sites), run "notte page scrape" and start AI agents/functions that read and act on scraped page content—i.e., ingesting untrusted, user-generated web content which can directly influence subsequent actions.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal, high-entropy values that would be usable credentials.

Finding flagged:

  • The only high-entropy, literal credential present is the TOTP/MFA secret in the "Authenticated Session with Vault" example: --mfa-secret "JBSWY3DPEHPK3PXP". This is a Base32-style MFA secret (real-looking, random/encoded characters) and would be usable to generate OTP codes; therefore it meets the definition of a secret and is flagged.

Findings explicitly ignored (and why):

  • --password "mypassword" and example passwords like "securepassword": low-entropy example strings; treated as documentation examples and ignored.
  • Email examples ("me@example.com", "user@example.com") and environment variable names (NOTTE_API_KEY, NOTTE_SESSION_ID, etc.): not secret values present.
  • Other placeholders and truncated/redacted patterns: none with real credentials beyond the MFA secret.

Note: Although that MFA secret may be a common example value in documentation, it is a literal, usable TOTP secret present in the prompt and thus considered a hardcoded secret under the provided analysis protocol.

Audit Metadata
Risk Level
HIGH
Analyzed
Feb 27, 2026, 10:52 AM