browser-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and instructions that embed API keys and plaintext passwords directly into CLI commands and act prompts (e.g., MIDSCENE_MODEL_API_KEY and a form example with 'pass123'), which would require the LLM to handle or output secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs the agent to "connect --url" and to "browse, scrape, extract, or collect data from websites" and requires a screenshot‑analyze‑act loop that reads page content to decide subsequent actions, so arbitrary public web pages (untrusted third‑party content) can influence tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs the remote CLI package via "npx -y @midscene/web@1", which at runtime fetches and executes code from the npm registry (e.g., https://registry.npmjs.org/@midscene/web) and is required for the skill to operate, so this is a runtime external dependency that executes remote code.