dogfood

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to prompt for or accept user credentials (EMAIL, PASSWORD, OTP) and embed them verbatim into agent-browser fill commands and saved auth-state files, requiring the LLM to handle secrets directly and creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly opens and interacts with an arbitrary Target URL (e.g., "agent-browser --session {SESSION} open {TARGET_URL}") and directs the agent to read page content and "snapshot" / "snapshot -i", click, fill forms, and follow in-app flows during Explore, so untrusted public web content provided by the target can be ingested and directly influence subsequent tool actions.