The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides an eval command that allows the agent to execute arbitrary JavaScript within the context of any open Chrome tab. This grants the agent full control over the page's execution environment, enabling it to read session cookies, local storage, and private page variables.
[DATA_EXFILTRATION]: The skill interacts with the user's live browser session where they may be logged into sensitive services (GitHub, internal tools, email). Commands like snap, html, and shot extract page content and visual state, which are returned to the agent. This represents a high-risk exposure path for authenticated user data.
[PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection. It ingests untrusted data from external websites (via snap and html) without any sanitization or boundary markers. A malicious website could embed hidden instructions to hijack the agent's behavior, leveraging its powerful browser interaction capabilities (clicking, typing, JS execution) to perform unauthorized actions or steal data.
Ingestion points: Page content is read from external URLs via snap, html, and eval in scripts/cdp.ts.
Boundary markers: None identified. Raw page data is interpolated into the agent's context.
Capability inventory: Arbitrary JS execution (eval), UI interaction (click, type), navigation (nav), and data extraction (snap, html, shot).
Sanitization: No sanitization or safety filtering is performed on the ingested content.
[COMMAND_EXECUTION]: The script uses Bun.spawn to launch background daemons and system commands (like open or xdg-open) to modify browser settings. While used for legitimate setup, the use of subprocesses to manage browser state is a high-privilege pattern.
[DATA_EXFILTRATION]: Visual information is stored in a predictable, potentially shared location (/tmp/screenshot.png). On multi-user systems or environments with loose permissions, this could lead to local information disclosure of the user's browser activity.

chrome-cdp