web-access

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to preserve and use full URLs that may contain session tokens and to embed those URLs in curl/new requests, which can force the LLM to handle and output sensitive tokens verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill intentionally exposes a local HTTP API that can run arbitrary JavaScript inside the user's logged-in Chrome tabs, manipulate uploads with arbitrary local file paths, auto-attaches to Chrome (discovering DevTools ports) and includes anti-detection logic (intercepting debug-port probes) — capabilities that enable covert credential access and data exfiltration and thus present high-risk backdoor/abuse potential.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). 该 skill 在运行时通过浏览器 CDP 读取“用户在页面中导航/点击后加载的网页 DOM 文本”（如 /new→Target.createTarget、/navigate→Page.navigate、/eval→Runtime.evaluate 提取 textContent/DOM 结构），这些页面内容属于外部网站作者的自由文本，可能被注入到代理的 LLM 上下文。