browser-cdp

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs extracting auth tokens from localStorage or document.cookie and returning them (via eval commands), which requires the LLM/agent to include secret token/cookie values verbatim in its output, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This tool intentionally copies Chrome user profiles, opens a remote-debugging CDP endpoint and exposes commands to read cookies/localStorage (e.g., "extract token"), enabling credential/token theft and session hijacking—high-risk dual-use behavior—even though there is no obfuscated backdoor or outbound exfiltration code in the script itself.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly instructs the agent to open arbitrary URLs and evaluate page content via CDP (e.g., "agent-browser --cdp 9222 open """ and "eval 'document.body.innerText...'", plus commands to click/type/snapshot), so the agent will fetch and interpret untrusted public web pages whose content could influence its subsequent actions.