autonomous-agent-patterns

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill's patterns (read_file, ContextManager.add_file/add_folder, tool outputs added to history, run_command/type_text) instruct the agent to ingest and include raw file/URL/command contents in prompts and tool calls without redaction, enabling secrets to be handled and potentially emitted verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches and ingests arbitrary public web content—e.g., ContextManager.add_url (requests.get/html_to_markdown), BrowserTool.open_url and get_page_content, and VisualAgent.describe_page/find_and_click—which the agent is expected to read/interpret and act on (including clicking or formatting that content into prompts), so untrusted third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The ContextManager.add_url method performs requests.get(url) at runtime and converts the fetched page into markdown that is injected into the agent prompt (i.e., any external URL passed to add_url — fetched via requests.get(url) — can directly control prompts), so this is a runtime external dependency that controls prompts.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill defines file-write and edit tools (write_file, edit_file, MCP server creation) that operate on arbitrary paths and execute code/commands with only heuristic approval or limited sandboxing, which can modify system files and machine state even without explicit sudo prompts.