[Security] Sensitive values leaked into stdout and model transcripts

[fredluz]

Summary

Several commands reflect secrets, credentials, and sensitive field values directly into command output. Since Browse is designed for LLM agents, this output is typically fed back into model context and persisted in chat logs, terminal history, and orchestration traces.

Affected Code

• browse/src/write-commands.ts:97 — type command echoes all typed text:

  return `Typed "${text}"`;

• browse/src/write-commands.ts:156 — cookie command echoes cookie values:

  return `Cookie set: ${name}=${value}`;

• browse/src/write-commands.ts:166 — header command echoes header values:

  return `Header set: ${name}: ${value}`;

• browse/src/read-commands.ts:68 — forms command dumps password field values:

  value: input.value || undefined,

• browse/src/read-commands.ts:187 — storage set echoes stored values:

  return `Set localStorage["${key}"] = "${value}"`;

Impact

Two concrete examples:

• header "Authorization:Bearer sk-live-..." leaks the bearer token into stdout/model context
• forms on a page with a filled password field dumps the password as plaintext (including "type": "password", "value": "supersecret")

In an agentic workflow, these values end up in LLM context windows, log files, and potentially shared traces.

Suggested Fix

• Redact echoed values by default for type, cookie, header, and storage set (e.g., Cookie set: session=****)
• Never emit value for type=password fields in forms output
• Consider a --show-secrets flag gated behind explicit consent if raw output is ever needed

Severity

Medium — credential and secret leakage via stdout in an LLM-agent context