debug-bridge

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt contains explicit plaintext secrets (e.g., the example "type "password" "secret123"") and directs agents to read/state network, cookies, and localStorage values, which would require the LLM to include secret values verbatim in commands or outputs.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The runbook intentionally exposes a WebSocket remote-control/debug channel with arbitrary JS evaluation, access to cookies/localStorage/state, streaming of network requests/responses (including bodies), console/errors, DOM and screenshot capture, and an exported window hook — features that directly enable credential/token theft and broad data exfiltration and function as a backdoor if left enabled or connected to untrusted agents (even though labeled "dev only").

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on live webapp content (e.g., it requests the UI tree via "request_ui_tree", consumes auto-streamed "network_response" bodies and console/DOM telemetry, and the examples (examples/login-flow.md) use those UI/network contents to decide clicks, typing, navigation, and other actions), which exposes the agent to untrusted third-party page content that could contain injected instructions.