tap-web

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's examples and CLI usage (e.g., tap browser fill ... "secret", tap browser cookies get|set, and form-fill/CLI arguments) explicitly show passing credentials or secrets as plain text command arguments, which would require the LLM to include secret values verbatim in generated commands or code.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). The presence of a direct raw.githubusercontent.com install.sh (commonly used with "curl | sh") from an unvetted GitHub user is a high‑risk executable distribution vector that can deliver malware; the other two URLs (example.com/login and localhost:9222) are benign by themselves but do not mitigate this risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to fetch and interact with arbitrary public webpages (e.g., SKILL.md: "tap fetch ", references/browser.md: "tap browser open ", and references/network.md capturing https://x.com/elonmusk), so it ingests untrusted third-party/user-generated content that can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install instructions include a runtime shell command that fetches and executes remote code via "curl -fsSL https://raw.githubusercontent.com/vaayne/tap/main/scripts/install.sh | sh", which executes remote code and is required to install the skill.