next-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill explicitly asks for session cookies (including examples with Bearer tokens) and suggests creating a cookies JSON file via echo/write, which can lead the agent to receive and emit secret values verbatim (exfiltration risk) rather than keeping them purely in a local auth mechanism.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and README explicitly require the agent to open and navigate arbitrary URLs (e.g., "open ", "goto ") and to read and act on page content (tree, errors, network, eval, screenshots), and the prototypes/README show using public sandbox URLs — so the agent fetches untrusted, user-controlled web pages and uses their content to drive subsequent tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly installs and runs remote packages at runtime (e.g., "npm install -g @vercel/next-browser" which pulls code from the npm registry at https://registry.npmjs.org/@vercel/next-browser and the README's npx command pulls the Git source at https://github.com/vercel-labs/next-browser), so required external content is fetched and executed during runtime.