captcha-relay

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This code intentionally implements CAPTCHA-bypassing and remote-browser-relay functionality (screencast + remote input, public tunneling via npx/localtunnel/cloudflared or Tailscale, token relay + injection) and writes solved tokens to a predictable file — features that clearly facilitate automated abuse, remote access/control of a headless browser, and token exfiltration; no obfuscation or hidden evals were found, but the capability itself is high-risk and can be used as a backdoor or for credential/session token theft.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly inspects arbitrary webpage DOM via CDP to detect sitekeys and CAPTCHA type (see lib/detect.js and the Agent Workflow in SKILL.md/ARCHITECTURE.md), then starts relay/tunnel servers and uses that extracted data to choose actions (createRelayServer, startTunnel, injectToken), so untrusted public page content can materially influence tool invocation and behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The relay HTML templates load external CAPTCHA provider SDKs at runtime (e.g. https://www.google.com/recaptcha/api.js, https://js.hcaptcha.com/1/api.js, https://challenges.cloudflare.com/turnstile/v0/api.js), which execute remote JavaScript in the served page and are required for the token-relay flow.