The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill is designed to target the user's primary Chrome browser profile (located at ~/Library/Application Support/Google/Chrome/ or %LOCALAPPDATA%), enabling the agent to leverage the user's existing login sessions, cookies, and stored authentication tokens for any website.
[DATA_EXFILTRATION]: The CDP Proxy component includes a /setFiles API endpoint that allows the agent to programmatically assign local file paths to web form inputs. This capability can be abused to exfiltrate sensitive local files—such as private keys or environment configurations—to external, potentially malicious servers.
[COMMAND_EXECUTION]: The skill utilizes the !command syntax in SKILL.md to execute shell commands during loading (e.g., listing site patterns). It also executes local bash scripts (check-deps.sh, match-site.sh) and maintains a persistent background Node.js process for the browser proxy.
[REMOTE_CODE_EXECUTION]: The /eval endpoint allows for the execution of arbitrary JavaScript code within the browser context. When combined with the agent's ability to browse arbitrary websites, this creates a vector where malicious web content could influence the agent to execute dangerous scripts within the user's authenticated session.
[PROMPT_INJECTION]: As a tool for browsing arbitrary web content, the skill is highly vulnerable to indirect prompt injection. Malicious instructions embedded in web pages or DOM metadata can manipulate the agent's behavior, which is particularly dangerous given the skill's file-system access and session-sharing capabilities.
[EXTERNAL_DOWNLOADS]: The installation process involves cloning a repository from an external GitHub account (github.com/43COLLEGE/43-Agent-skills), which serves as the source for the executable proxy and support scripts.

web-browser