browser-xterm-interaction

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). It instructs embedding credentials verbatim into commands and scripts (e.g., inline AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY and os.environ assignments), which requires the agent to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to read and scrape live web terminal content from third-party pages (e.g., xterm.js/hterm in CTF/Cloud Shell) using browser_evaluate, browser_snapshot, and screenshots (see Phase 1–4 and Phase 3 JS methods), so untrusted webpage/user-generated output is ingested and used to drive subsequent actions.