kuri-agent

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to set and persist Authorization headers (e.g., set-header Authorization "Bearer eyJ..."), read tokens from storage/cookies, and include them in fetch/probe commands — forcing the agent/LLM to accept and emit secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This tool is a high-risk, dual-use automation framework: it explicitly exposes capabilities to enumerate and decode JWTs and cookies, dump storage, persist and apply authentication headers, run arbitrary JS in pages, perform authenticated fetches, and mass-probe IDs (IDOR), all of which can be directly used to steal credentials, exfiltrate data, and automate unauthorized access — there are no signs of hidden backdoors or obfuscated payloads, but the documented features are intentionally enabling abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to and ingests arbitrary public web pages and content via commands such as "kuri-agent go ", "kuri-agent snap", "kuri-agent text", "kuri-agent eval", and uses those snapshots/JS results to drive actions like click/type/fetch (see SKILL.md Workflow and Page inspection / Actions sections), so untrusted third‑party page content could indirectly inject instructions that influence subsequent automated behavior.