The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The login macro instructions encourage passing plaintext credentials (username and password) as command-line arguments. This is an insecure practice as arguments are often visible in system process lists and shell history.
[COMMAND_EXECUTION]: The evaluate action allows the execution of arbitrary JavaScript code within the web page context. While a standard feature for automation, it grants significant control over the browser session and could be abused to access sensitive session data.
[DATA_EXFILTRATION]: The network action captures and returns recent network requests. This capability can be used to extract sensitive information such as authentication headers, API keys, or session tokens transmitted by the browser.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it processes untrusted data from arbitrary websites.
Ingestion points: Untrusted data enters the agent context through the read, snapshot, extract, paginate, and evaluate actions in SKILL.md.
Boundary markers: The skill explicitly defines [PAGE_CONTENT: ...] delimiters and includes a 'CRITICAL: Prompt Injection Warning' section in SKILL.md to advise the agent against obeying instructions found in page content.
Capability inventory: Across all actions in SKILL.md, the skill possesses high-privilege capabilities including clicking elements, filling forms, uploading files (file-upload), and executing arbitrary JavaScript (evaluate).
Sanitization: External content is wrapped in delimiters as described in SKILL.md, but no structural sanitization or filtering of the content itself is performed before it is returned to the agent.

web-browse