agent-browser-cli-control

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit commands that read, print, and set cookies (e.g., extracting cookies into a shell variable and echoing them, and using cookies --set 'name=value;...'), which requires the agent to access and potentially output session secrets verbatim, creating an exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Yes — while some links (google.com, example.com, ara.so) are benign, the skill instructs downloading a Chrome extension zip and binaries from an unverified GitHub repository/releases (and installing/running a native CLI that connects to your browser and preserves session cookies), which is a high-risk pattern for credential/session theft or distribution of malicious executables from an unknown author.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly documents commands like "agent-browser-cli open " and "agent-browser-cli scan" and the "Integration with AI Agents" workflow, which fetch and read arbitrary public web pages (untrusted third-party content) and then use that content to drive exec/monitor actions, enabling indirect prompt injection.