browser-use

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains many examples and commands that instruct embedding API keys, task secrets, and cookies directly on the command line or in config files (e.g., --api-key, --secret API_KEY=xxx, echo '{"api_key": "your-key-here"}'), which would require the LLM/agent to output secret values verbatim — an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Most links are well-known or placeholder domains (gmail.com, youtube.com, example.com, GitHub cloudflare release, trycloudflare) and are low-risk, but the bundle includes a direct "curl | bash" installer from an untrusted domain (https://browser-use.com/cli/install.sh) and other direct-fetch endpoints (live.browser-use.com) — direct shell scripts and unsigned binaries from unknown domains are high‑risk distribution vectors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly opens and scrapes arbitrary public web pages (e.g., browser-use open <url>, browser-use get html, browser-use get text, and browser-use extract) and runs remote agent tasks that browse and summarize web content (browser-use -b remote run "..."), meaning it ingests untrusted, user-generated third‑party content as part of its workflow.