run-agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes multiple examples that embed plaintext secrets directly into CLI commands (e.g., agent-browser fill "password123", echo "pass" | agent-browser ...) which encourages an LLM to produce outputs containing secret values verbatim, even though safer alternatives are mentioned; this creates a substantial exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). This set contains an explicit malicious domain (https://malicious.com) and an unverified third‑party installer link (https://lightpanda.io/docs/open-source/installation), while the rest are placeholder/example/localhost sites or login pages that could be abused or redirect — so the presence of a known-malicious host and an untrusted installer page makes this a high-risk download source.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow and templates (e.g., the "agent-browser open " command and scripts like templates/ai-agent-workflow.sh and templates/capture-workflow.sh) explicitly navigate arbitrary public URLs and use snapshot/get text/snapshot -i --json to ingest page content which the agent then reads and acts on (click/fill/eval), so it clearly consumes untrusted third-party web content that can influence subsequent tool actions.