web-access

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs agents to extract and "preserve complete" URLs that may contain session-related parameters (tokens) and to return/extract resource URLs tied to login state, which forces the LLM to handle and potentially output sensitive tokens/cookies verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and ingests arbitrary public web content (including social media and user-generated sites) via Jina/WebFetch and the CDP proxy endpoints (e.g., /new, /navigate, /eval in scripts/cdp-proxy.mjs and the SKILL.md guidance) and expects the agent to read and act on that content as part of its workflow, which could allow indirect prompt injection from untrusted third‑party pages.