agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains multiple examples and workflows that embed plaintext secrets directly into commands and form fills (e.g., agent-browser fill @e2 "password123", state files with session tokens, echo "pass" | ...), which would require an LLM to handle and output secret values verbatim.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The list mixes legitimate/documentation pages (e.g., lightpanda docs, GitHub login and example.com placeholders) with multiple ambiguous/unknown domains (site-a.com, site-b.com), a localhost entry and an explicit "malicious.com" — the presence of unknown/untrusted hosts and an explicitly malicious domain in a download/execution context makes the collection suspicious for malware distribution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core workflow and examples (SKILL.md "Navigate: agent-browser open " plus snapshot -i and get text commands) and templates (templates/capture-workflow.sh and form-automation.sh) explicitly fetch and ingest arbitrary public web pages and use page-derived snapshots/refs/text to drive interactions, while security restrictions like content-boundaries are opt-in, so untrusted third-party page content can be read and influence subsequent tool actions.