The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill includes an eval command that allows the execution of arbitrary JavaScript in the browser context. The use of the --base64 flag facilitates the execution of encoded scripts, which can be used to obfuscate malicious logic or bypass basic security filters. Standard shell execution of JavaScript is also supported via stdin or direct string arguments.
[DATA_EXFILTRATION]: The skill provides multiple methods for accessing and exporting potentially sensitive data. The --allow-file-access flag enables the browser to read local files via file:// URLs, which could lead to the exposure of sensitive system files if navigation is controlled by an attacker through indirect prompt injection. Additionally, the state save command exports session cookies and local storage to JSON files; if these files are not handled securely, they could be used for session hijacking.
[EXTERNAL_DOWNLOADS]: The skill instructions frequently suggest using npx agent-browser, which may download and execute code from the public NPM registry at runtime if the package is not already cached locally.
[COMMAND_EXECUTION]: The skill relies on executing the agent-browser CLI tool, which manages a background browser daemon. This architecture involves persistent processes and potential interaction with the host's file system and network.
[PROMPT_INJECTION]: As the skill is designed to ingest and process content from arbitrary websites (e.g., via snapshot or get text), it is susceptible to indirect prompt injection. Ingestion points: snapshot and get text commands read data from external web pages. Capability inventory: The tool can perform complex actions including click, fill, and eval. Mitigation: The skill mentions an optional --content-boundaries feature to help the agent distinguish between tool instructions and untrusted page content, though its use is not mandatory.

agent-browser