The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it is designed to ingest and process data from untrusted external websites.
Ingestion points: The skill navigates to arbitrary URLs and extracts content using agent-browser open, snapshot, and get text (found in SKILL.md).
Boundary markers: The instructions do not define clear delimiters or "ignore instructions" markers for the content retrieved from websites.
Capability inventory: The agent has the ability to execute shell commands (Bash), write to the file system (state save, screenshot, pdf), and perform network operations via the browser.
Sanitization: There is no mention of sanitizing or filtering web content before it is processed by the agent.
[DATA_EXFILTRATION]: The skill provides tools that can be used to access and export sensitive information.
agent-browser cookies: This command retrieves all cookies from the current session, which may include sensitive session tokens.
agent-browser state save <path>: This command exports the entire browser state (cookies, localStorage, etc.) to a local file, creating a risk if these files are later exfiltrated or improperly secured.
--allow-file-access: The tool explicitly supports a flag to enable access to local files via file:// URLs, which could be used to read sensitive local configuration files if the agent is misdirected.
[COMMAND_EXECUTION]: The exec:agent-browser pathway uses eval --stdin to execute arbitrary JavaScript within the browser's page context. While limited to the browser environment, this allows for dynamic code execution based on agent or potentially attacker-influenced input.
[EXTERNAL_DOWNLOADS]: The skill includes an agent-browser install command that downloads the Chromium browser binary and its dependencies. The documentation also references installing the appium package via npm for mobile automation support.

agent-browser