The Agent Skills Directory

[COMMAND_EXECUTION]: The file SKILL.md includes a bash snippet that performs an eval on the AGENT_BROWSER_CDP_LAUNCH environment variable. This allows for arbitrary command execution on the host system if the environment variable is controlled by an attacker or improperly configured.
[REMOTE_CODE_EXECUTION]: As documented in references/commands.md, the agent-browser CLI includes an eval command capable of executing arbitrary JavaScript within the browser context via Base64-encoded strings or standard input. This provides a direct path for dynamic code execution.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of ingesting untrusted data from the web.
Ingestion points: Workflow templates such as templates/capture-workflow.sh use agent-browser get text body to extract text from external URLs, and SKILL.md uses agent-browser snapshot for page analysis.
Boundary markers: There are no delimiters or explicit instructions provided to the agent to prevent it from following commands that might be embedded in the scraped text or metadata.
Capability inventory: The agent has permission to use the Bash tool and can execute high-impact browser commands, including navigation, JavaScript execution, and local file writes (screenshots and state saving).
Sanitization: No filtering or sanitization of external content is performed before the data enters the agent's context.
[EXTERNAL_DOWNLOADS]: The documentation in SKILL.md and references/authentication.md mentions the installation of the appium package from the official NPM registry to facilitate mobile browser automation.

agent-browser