browser-cash

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). Although there are no hidden backdoors, obfuscated payloads, or explicit exfiltration commands, the skill explicitly documents how to bypass anti-bot protections, create persistent real‑browser sessions, and maintain logged‑in profiles—capabilities that strongly enable scraping, credential stuffing, account takeover, and other abusive behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill's SKILL.md explicitly instructs creating Browser.cash sessions and connecting via Playwright/Puppeteer to arbitrary external websites (see "Create a Browser Session", "Full Workflow Example", and "Scraping Tips" with page.goto(...) and extraction/interaction code), so it fetches and scrapes untrusted public web content that can influence automation behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to https://api.browser.cash/v1/... and then uses the returned WebSocket CDP endpoint (e.g., wss://gcp-usc1-1.browser.cash/.../devtools/browser/...) to connect and control a remote browser via CDP, which executes remote browsing/JS actions, so the external URL is a required runtime dependency that enables remote code execution.