autofillin

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill instructs the agent to "prompt for password" and to fill login fields (and shows examples embedding passwords in CLI credential commands), which requires the LLM/agent to accept and place secret values verbatim into automation commands or storage—creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md) and scripts explicitly navigate to arbitrary public URLs (e.g., "autofillin https://example.com/form", Playwright commands like npx playwright open ""), take page snapshots (take_snapshot), analyze form fields, run evaluate_script, and then act (fill/upload/click) based on that page content, so untrusted third-party webpages can directly influence the agent's decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The MCP configuration runs npx to fetch and execute remote packages at runtime (e.g., "npx -y @anthropic-ai/mcp-server-playwright" and "npx -y @modelcontextprotocol/server-filesystem"), which downloads and runs external code that the skill relies on, so these are runtime external dependencies that execute remote code.