The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted content from web pages that could contain malicious instructions.
Ingestion points: Commands such as snapshot, get text, get html, and get attr (SKILL.md, references/commands.md) extract data from external websites into the agent's context.
Boundary markers: The skill recommends the use of the AGENT_BROWSER_CONTENT_BOUNDARIES environment variable or --content-boundaries flag (SKILL.md) to wrap page content in markers, helping the agent distinguish page data from instructions.
Capability inventory: The tool has extensive capabilities including click, fill, eval, download, and session state management (state save) across its documentation and templates (SKILL.md, templates/form-automation.sh, references/commands.md).
Sanitization: Mitigation strategies such as content boundaries and domain allowlists (AGENT_BROWSER_ALLOWED_DOMAINS) are documented to restrict the agent's exposure to malicious content.
[EXTERNAL_DOWNLOADS]: The skill instructs the user to install the agent-browser package via standard package managers (npm, brew, cargo). The agent-browser install command is also used to download the Chrome/Chromium binary required for operation (SKILL.md).
[COMMAND_EXECUTION]: The skill provides a CLI tool that allows for complex browser interactions. This includes an eval command (references/commands.md) that can execute arbitrary JavaScript within the browser context, which is a powerful but potentially risky feature if used with untrusted input.
[CREDENTIALS_UNSAFE]: The skill manages authentication through state files (auth.json) that store session tokens and cookies in plaintext. While the documentation warns against committing these files and suggests using encryption keys (AGENT_BROWSER_ENCRYPTION_KEY), the default management of these files presents a risk of credential exposure (SKILL.md, references/authentication.md).

agent-browser