agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and command templates explicitly show embedding plaintext credentials into agent-browser commands (e.g., fill @e4 "password123"), which instructs the LLM to include secret values verbatim in generated output and thus creates an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill exposes powerful browser-automation primitives (arbitrary JS eval including iframe context, cookies/localStorage access, network request inspection/mocking, header setting, file upload, screenshotting and credential autofill) that, while legitimate for testing, directly enable credential theft and data exfiltration and can be abused as a backdoor by an attacker controlling the agent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to open arbitrary URLs (e.g., agent-browser open <url> in SKILL.md) and to run agent-browser snapshot -i -c (references/ai-snapshot-workflow.md) to ingest and act on page content (element labels/HTML), meaning untrusted public web pages can be fetched and their content directly influence the agent's actions.