browser

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.85). The repo deliberately exposes powerful remote-browser control and session-extraction capabilities (remote CDP attach/liveUrl sharing, arbitrary JS/CDP Runtime.evaluate, reading/exporting cookies and session JWEs, helpers to send cookies externally, upload/download and profile sync, and opt-in dynamic "domain-skill" loading from external skill sources) that — while intended for automation — constitute clear, deliberate high‑risk abuse vectors for data exfiltration, credential theft, and remote code execution if misused or loaded with untrusted skills.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Outsider free text is ingested when BH_DOMAIN_SKILLS=1 and the agent reads agent-workspace/domain-skills/<site>/ files (e.g., BOSS-zhipin/job-search.md), which are community-authored content; the runtime path is the agent’s “read every file” instruction that loads those markdown texts into the LLM context.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The AgentList Discovery skill includes runtime http_get calls that fetch remote skill files (e.g. https://skills.agentlist.com/skill/{id}/SKILL.md and https://agentlist.com/raw/{id}) which are intended to be loaded into the agent’s context and can directly control agent instructions, so this is a high-confidence runtime dependency.