browsing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's action payloads (e.g., human_type/type examples and form-fill patterns) require embedding credentials (passwords, API keys, cookies) verbatim in the generated action JSON, and the prompt even shows a plaintext password example, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill autonomously navigates to arbitrary web URLs (see SKILL.md "navigate" action and chrome-ws examples) and uses extract/eval/attr/markdown to read page content and then drive follow-up actions (see EXAMPLES.md "Cross-Reference Between Sites", "Web Scraping", and multi-tab workflows), so untrusted public web content can directly influence the agent's decisions and tool usage.