The Agent Skills Directory

[PROMPT_INJECTION]: Vulnerability to indirect prompt injection from untrusted websites.
Ingestion points: Website content is retrieved and presented to the agent via commands like open, snapshot, and get text (found in SKILL.md).
Boundary markers: No explicit markers are used to separate web content from system instructions.
Capability inventory: The agent can execute high-impact interactions like clicking, filling forms, and running JavaScript (eval), which could be maliciously triggered by instructions embedded on a website (found in references/commands.md).
Sanitization: Web content is processed and displayed to the agent without sanitization or filtering.
[COMMAND_EXECUTION]: Arbitrary JavaScript execution within the browser environment.
Evidence: The eval command allows running arbitrary JavaScript code in the browser context, which can be used to manipulate the DOM or access browser-side data (documented in SKILL.md).
[EXTERNAL_DOWNLOADS]: Installation of browser binaries and automation dependencies.
Evidence: The install command downloads Chromium browser binaries from external sources (SKILL.md).
[CREDENTIALS_UNSAFE]: Unencrypted session storage and potential local file exposure.
Evidence: The state save command exports sensitive cookies and session tokens to unencrypted local JSON files (documented in references/session-management.md).
Evidence: The --allow-file-access flag allows the browser to read local system files, which could lead to data exposure if an attacker-controlled site is visited (documented in SKILL.md).

agent-browser