agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed plaintext secrets (e.g., "password123", "proxy_password": "pass") directly in CLI/JSON inputs and form-fill actions, which requires the agent to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The skill’s runtime workflow ingests outsider-authored free text from arbitrary web pages: the open/snapshot functions navigate to a user-supplied url and return elements_text (and other page text) extracted from that page, which is then placed into the agent/LLM context for decision-making.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly depends on the inference.sh service (https://inference.sh) at runtime — the belt/infsh CLI calls that backend to fetch snapshots/elements and run browser actions, and those returned artifacts directly drive agent prompts/decisions and execution.