agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed plaintext credentials (e.g., "password123", "proxy_password": "pass", filling password fields) directly into CLI JSON inputs and form-fills, which requires the LLM to output secret values verbatim and thus poses an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly opens arbitrary public URLs (see SKILL.md "open" function and templates such as templates/capture-workflow.sh), returns page snapshots/elements_text and executes document.body.innerText (references/commands.md and snapshot-refs.md), and the agent is expected to read those results and choose subsequent interact/execute actions—so untrusted, user-generated web content can materially influence agent behavior.