agent-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Contains an explicit example that injects a plaintext password directly into a command (agent-browser fill @e2 "password123"), which requires the LLM to output secret values verbatim and is therefore high-risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly navigates to and ingests arbitrary webpages (e.g., "agent-browser --headed open " and "agent-browser snapshot -i" in SKILL.md and the command reference), meaning untrusted public web content can be read and used to drive subsequent clicks/fills/eval actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's quick-start uses a Nix flake reference "github:numtide/llm-agents.nix#agent-browser" via "nix run github:numtide/llm-agents.nix#agent-browser …", which fetches and executes remote code at runtime and is presented as the required way to run the agent.