The Agent Skills Directory

[COMMAND_EXECUTION]: The provided Node.js implementation snippets use child_process.execSync with direct string interpolation (e.g., execSync(agent-browser open ${url})). If the url, formData values, or sessionName are derived from untrusted user input or scraped web content, an attacker could execute arbitrary shell commands on the host system.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of the agent-browser package via NPM and triggers a secondary download of the Chromium browser binary using agent-browser install. These external binaries execute with the permissions of the user.
[DATA_EXFILTRATION]: The skill includes explicit commands to retrieve sensitive information from the browser, such as agent-browser cookies get and agent-browser storage get. This capability could be abused to exfiltrate session tokens or personal data if the agent is manipulated.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process content from arbitrary third-party websites.
Ingestion points: browser_open_and_snapshot and browser_capture (SKILL.md) read accessibility trees, HTML source, and page text.
Boundary markers: None. The agent prompt does not specify delimiters or instructions to ignore embedded commands within the scraped content.
Capability inventory: Shell command execution via execSync, file system writes via screenshot/pdf, and network navigation via the browser CLI.
Sanitization: Absent. There is no evidence of filtering or escaping logic applied to the data retrieved from the browser before it is processed by the agent or passed back to the CLI.

browser-automation-agent