browser-use

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes commands that pass API keys/tokens directly on the command line and examples embedding secrets (e.g., "browser-use cloud login " and "browser-use cookies set token abc123"), which requires the LLM to handle and output secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The list contains a direct "curl | bash" installer hosted on an unverified third‑party domain (https://browser-use.com/cli/install.sh), which is a high‑risk distribution vector for malware even though the other URLs (google, mail, news.ycombinator, example.com) are benign/legitimate.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly opens and automates arbitrary public websites (e.g., "browser-use open https://news.ycombinator.com" and "browser-use open https://www.google.com") and uses commands like eval, get text/html, state, wait, click and input to read and act on page content, so untrusted third‑party web content can be ingested and materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation repeatedly instructs running "curl -fsSL https://browser-use.com/cli/install.sh | bash", which fetches and immediately executes remote code and is presented as the required installation/runtime dependency for the CLI, so it directly executes external code at setup.