agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The CLI examples and interaction patterns require passing sensitive values directly into commands (e.g., agent-browser fill @e2 "password123" or filling with "$PASSWORD"), so an LLM generating those commands may need to include secrets verbatim even though env-var options exist.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly navigates to and scrapes arbitrary public URLs (e.g., "agent-browser open " in SKILL.md and the capture-workflow.sh and form-automation.sh templates) and then snapshots/gets page text and runs JS, meaning untrusted third-party page content is read and used to drive subsequent agent actions.