autobrowse-agent-browser

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). This is an unvetted GitHub repository from an individual account that instructs you to run npm install, install runtime binaries and run node scripts (actions that can execute arbitrary code and download executables), so although it’s not a direct .exe download or URL shortener, the supply-chain/script execution risk makes it suspicious without further verification.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The harness explicitly instructs the delegated ACPX/agent-browser agent to "Open the target URL or best public search URL" and to use commands like get text body for extraction (see buildPrompt in scripts/evaluate.mjs, the README "Web browsing allowed" note, and references/example-task.md's URL field), which means the agent will fetch and read arbitrary public webpages and their user-generated content as part of its workflow, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The script invokes npx to fetch-and-run the remote ACPX package (default "acpx@0.7.0") at runtime via execFileSync("npx", ...), which downloads and executes remote code that runs the delegated agent and thus directly controls execution of prompts/agent behavior.