The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The installation instructions direct the user to download code from an untrusted GitHub repository (pasky/chrome-cdp-skill) that does not belong to the author or a trusted organization.\n- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths associated with browser profiles (e.g., ~/Library/Application Support/Google/Chrome/) to find debugging ports. It also includes commands such as Network.getCookies which can be used to extract active session cookies and authentication tokens.\n- [REMOTE_CODE_EXECUTION]: Through the eval and evalraw commands, the agent can execute arbitrary JavaScript within any open browser tab. This allows the agent to perform actions on behalf of the user or exfiltrate data from within authenticated web pages.\n- [COMMAND_EXECUTION]: The skill executes local Node.js scripts (scripts/cdp.mjs) and manages background daemons to maintain live sessions with the browser.\n- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface that could be exploited by malicious web content.\n
Ingestion points: The skill reads live HTML and accessibility tree data from open browser tabs via the snap and html commands as described in SKILL.md.\n
Boundary markers: There are no boundary markers or instructions present to tell the agent to ignore potentially malicious commands embedded in page content.\n
Capability inventory: The skill provides significant interaction capabilities including JavaScript execution (eval), clicking (click), typing (type), and navigation (nav).\n
Sanitization: There is no evidence of sanitization or validation for the ingested HTML or the results returned from JavaScript execution.

chrome-cdp-live-browser