browser-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples and patterns that instruct the agent to embed plaintext credentials directly into generated commands/prompts (e.g., "fill in ... the password field with 'pass123'"), which requires the LLM to handle and output secret values verbatim and creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to connect to arbitrary web pages and scrape/navigate content (e.g., "Connect to a URL to open a new tab" and examples like npx @midscene/web@1 connect --url https://example.com) and mandates reading screenshots/page content to decide the next actions, so untrusted third-party webpages can directly influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs running "npx @midscene/web@1" (which fetches and executes code from the npm registry at runtime) — this is a required runtime dependency that downloads and runs remote code, so it can directly execute externally-sourced code.