The Agent Skills Directory

[COMMAND_EXECUTION]: The run_javascript tool implemented in the service worker (background/tools.ts) utilizes new Function(args.code) to execute arbitrary JavaScript code provided by the AI model. This grants the model full programmatic control over the active browser tab's context.
[DATA_EXFILTRATION]: The skill possesses tools designed to harvest sensitive information, including read_page_content for scraping text and HTML, and take_screenshot for capturing visual data from the browser. While the skill claims no cloud dependencies, these tools provide the necessary primitives for data collection that could be exfiltrated if the agent is compromised.
[REMOTE_CODE_EXECUTION]: The skill automatically downloads and executes large-scale AI models (~500MB to 1.5GB) from Hugging Face's infrastructure (onnx-community/gemma-4-*) using the @huggingface/transformers library. The execution of these external binary artifacts constitutes a remote code execution pathway.
[EXTERNAL_DOWNLOADS]: Fetches model weights and configuration files from Hugging Face's official repositories. These downloads are performed automatically during the first initialization of the chat interface.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it ingests untrusted content from web pages via the read_page_content tool and subsequently processes it through an agent loop with high-privilege capabilities like JavaScript execution and form filling. There are no evident sanitization or boundary markers to prevent malicious instructions on a webpage from hijacking the agent's session.

gemma-gem-browser-ai