The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the agent to install and run the 'agent-browser' tool directly from a remote GitHub repository using nix run github:numtide/llm-agents.nix#agent-browser. This introduces a dependency on external code that is fetched at runtime.
[REMOTE_CODE_EXECUTION]: The skill exposes an eval command that allows the agent to execute arbitrary JavaScript within the browser context. It explicitly supports multiple ways to provide this code, including via standard input (--stdin) and Base64 encoding (-b), which can be used to bypass shell escaping or obfuscate malicious logic.
[DATA_EXFILTRATION]: The tool includes an --allow-file-access flag which, when enabled, allows the browser to open and read local files via file:// URLs. This represents a significant risk of local sensitive data exposure (e.g., SSH keys, configuration files) if the agent is directed to access these paths.
[COMMAND_EXECUTION]: The skill is entirely based on the execution of shell commands through the agent-browser CLI, giving the agent broad control over the browser daemon and the local environment where the commands are run.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It is designed to extract text, HTML, and accessibility snapshots from untrusted third-party websites. This data is then ingested into the agent's context, where malicious instructions embedded in web pages could influence the agent's future actions. While the documentation mentions --content-boundaries as a mitigation, it is an opt-in feature and does not fully prevent sophisticated injection attacks.
[CREDENTIALS_UNSAFE]: The auth save and state save commands manage sensitive authentication data, including session tokens and passwords. While the skill recommends using encryption and environment variables, the creation of state files (e.g., auth-state.json) on the local filesystem creates a surface for credential theft if the environment is compromised.

agent-browser