browserless

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt repeatedly demonstrates and instructs embedding tokens, API keys, cookies, and plaintext passwords directly into URLs, curl commands, Docker env vars, and code examples (e.g., ?token=your-token, TOKEN=your-secure-token, "username":"user","password":"pass"), which encourages the LLM to accept and emit secret values verbatim and thus poses a high exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows the agent calling endpoints that fetch and scrape arbitrary public URLs (e.g., /scrape, /content, /screenshot and the Function API examples that run page.evaluate on external pages like "https://example.com"), so the agent would ingest and act on untrusted third-party web content that could contain instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's setup explicitly pulls and runs the remote container image ghcr.io/browserless/chromium (docker run ... ghcr.io/browserless/chromium), which downloads and executes remote code at runtime and is required to run the service.