browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's auth flows explicitly show filling username/password values (e.g., fill @password "pass") and saving/loading session auth state (state save/load auth.json), which requires the agent to accept and embed secret credentials verbatim into commands/files, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to "open URL" and to run page-evaluations (e.g., "open URL → wait --load networkidle", "agent-browser eval --stdin", and data-extraction flows using document.querySelectorAll) which clearly fetch and interpret arbitrary third‑party web pages and their user-generated content, allowing page-provided instructions to influence actions.