The Agent Skills Directory

[DATA_EXFILTRATION]: The skill provides direct access to live, authenticated browser sessions. This allows the agent to read content from private, logged-in services such as Gmail, GitHub, and internal business tools without requiring re-authentication.
[DATA_EXFILTRATION]: The skill includes explicit commands to extract browser cookies via the Network.getCookies CDP command passed to scripts/cdp.mjs evalraw.
[REMOTE_CODE_EXECUTION]: It allows for the evaluation of arbitrary JavaScript code within any open browser tab using the scripts/cdp.mjs eval command, which can be used to manipulate page state or exfiltrate data from the DOM.
[COMMAND_EXECUTION]: The integration examples demonstrate the heavy use of execSync to run the scripts/cdp.mjs wrapper. If target identifiers or other parameters are derived from untrusted web content, this could lead to local command injection.
[EXTERNAL_DOWNLOADS]: The installation instructions direct users to fetch the skill and its scripts from an untrusted third-party GitHub repository (github.com/pasky/chrome-cdp-skill) which is not part of the defined trusted vendor list.
[PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface.
Ingestion points: Uses scripts/cdp.mjs snap and scripts/cdp.mjs html to read untrusted content from live web pages (SKILL.md).
Boundary markers: There are no instructions or delimiters defined to prevent the agent from obeying instructions embedded in the processed web pages.
Capability inventory: The agent has high-privilege capabilities including JS execution (eval), navigation (nav), and simulated user interaction (click, type) (SKILL.md).
Sanitization: No evidence of sanitization or filtering of the extracted HTML/accessibility tree content before it is passed to the agent context.

chrome-cdp-live-browser