agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt's examples and inputs embed plaintext credentials (e.g., "password123", "proxy_password": "pass") directly into CLI/JSON commands and form fills, which would require the agent/LLM to accept and reproduce secret values verbatim in outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to arbitrary public URLs and ingests page content via the open/snapshot/execute functions (see SKILL.md and references/commands.md) and example templates like templates/capture-workflow.sh and templates/form-automation.sh which extract document.body.innerText and elements_text and then drive subsequent interact actions, so untrusted third-party page content can directly influence agent decisions and tool use.