agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt's examples and API require supplying raw "text" fields (e.g., password, proxy_password) inline in CLI/JSON commands, which would force an LLM to embed secret values verbatim in generated commands/requests, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's SKILL.md (Quick Start and Core Workflow) documents an open function that navigates to arbitrary URLs (e.g., examples using "https://google.com" and the "open" input "url") and returns DOM element refs / allows JS execution and interactions, so the agent will ingest and act on untrusted public web content that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The Quick Start instructs running "curl -fsSL https://cli.inference.sh | sh" which fetches and executes a remote installer (and downloads binaries from dist.inference.sh), so the skill depends on external code that is executed during setup: https://cli.inference.sh