agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes numerous examples that inline secrets into CLI commands and form fills (e.g., agent-browser fill @e2 "password123", echo "pass" | agent-browser auth save ...) and notes state files contain session tokens in plaintext, which would require the LLM to emit secret values verbatim if used the same way.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). Although many links are benign placeholders or documentation pages (example.com, github.com/login, lightpanda.io docs) and none point directly to executable files, the list includes an explicit "malicious.com" plus several unvetted/ambiguous domains and subdomains (site-a.com, site-b.com, prod/staging/app.*) that could host or redirect to malicious installers, so downloads from this set should be treated as suspicious until verified.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow and examples (SKILL.md and templates like templates/capture-workflow.sh) explicitly use agent-browser open , snapshot -i, and get text body to fetch and ingest arbitrary public web pages and page-derived refs, which the agent is expected to read and act on, allowing untrusted third-party content to influence subsequent actions.