browser-automation
Fail
Audited by Snyk on Apr 16, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt includes numerous examples that embed plaintext credentials and sensitive values directly in commands and form fills (e.g., agent-browser fill "password123", the credit-card example, echo "$PASSWORD" | agent-browser auth save, and state files with session tokens), so an LLM acting on this skill could be required to output secret values verbatim — high exfiltration risk.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). The list contains an explicit malicious domain (malicious.com), an exposed localhost endpoint and multiple unverified/third‑party hosts (besides placeholder/example domains), so any instruction to download or execute files from these URLs is high risk and should be treated as potentially malicious.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.95). The skill contains multiple intentional, high-risk features that enable credential theft and data exfiltration (automatic connection to an already-running Chrome debug port, explicit instructions to export session state tokens in plaintext, an auth vault and auth-login flow that bypasses action policy, clipboard and network-inspection capabilities, arbitrary JS eval with base64/stdin obfuscation, file:// access and unrestricted default security), which together create explicit backdoor/abuse paths for stealing credentials or remotely controlling a user's browser.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill's core workflow explicitly opens arbitrary URLs and ingests page content (e.g., "agent-browser open " and "agent-browser snapshot -i" / "agent-browser get text ..."), and the security section notes that by default there are no navigation/output restrictions, so untrusted public webpages can be read and used to drive subsequent actions—enabling indirect prompt injection.
Issues (4)
W007
HIGHInsecure credential handling detected in skill instructions.
E005
CRITICALSuspicious download URL detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
Audit Metadata