browsing

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes explicit examples that type plaintext passwords into form payloads (e.g., {action:"type", payload:"pass123"}) and auto-captures page content/screenshots, which requires the agent to handle and emit secret values verbatim and risks exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's core MCP use_browser and chrome-ws CLI (documented in SKILL.md and EXAMPLES.md) explicitly navigate to arbitrary external URLs (e.g., {action: "navigate", payload: "https://example.com"}), extract/generate page markdown (see lib/capture.js generateMarkdown and auto-capture saving {prefix}.md/.html) and then uses that extracted content to drive follow-up actions (cross-site workflows and form automation), so untrusted public web content is fetched and read by the agent and can materially influence subsequent tool actions.