agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes explicit examples and commands that require placing plaintext credentials or secrets directly into CLI arguments (e.g., agent-browser fill "password123", cookies set name value, set credentials user pass, set headers) which would force the agent to include secret values verbatim in its generated commands/outputs, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to arbitrary URLs (e.g., "agent-browser open " and examples like "agent-browser open https://example.com/form") and instructs the agent to snapshot/get text or HTML and interact based on that content (snapshot -i, get text/get html), which means untrusted public web pages can be fetched and their content can directly drive agent actions.