The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The evaluate.js script allows execution of arbitrary JavaScript within the browser context via eval(). While this is the intended functionality of the script, it poses a risk of dynamic code execution if the agent is directed to run untrusted logic.
COMMAND_EXECUTION (MEDIUM): The install-deps.sh script utilizes sudo to install system libraries on Linux (Ubuntu/Debian, Fedora, Arch). This involves elevated privileges for system configuration.
EXTERNAL_DOWNLOADS (LOW): The installation process (install.sh and install-deps.sh) downloads numerous third-party dependencies from standard package managers (npm, apt, dnf, pacman). These are generally from trusted sources but represent a large external dependency surface.
DATA_EXFILTRATION (LOW): Several scripts, including screenshot.js, network.js, and snapshot.js, have the capability to write data (images, network logs, DOM snapshots) to the local file system using user-provided paths via the --output argument.
PROMPT_INJECTION (LOW): The skill acts as an ingestion point for untrusted external data from the web (via snapshot.js, console.js, and network.js). This creates a surface for indirect prompt injection where a malicious website could attempt to influence the agent's behavior through the scraped content.
Ingestion points: navigate.js, snapshot.js, console.js, network.js (reads external URLs).
Boundary markers: None implemented to distinguish external web content from instructions.
Capability inventory: evaluate.js (exec/eval in browser), click.js/fill.js (interaction), network.js/screenshot.js (file writes).
Sanitization: lib/selector.js contains validateXPath which checks for common injection keywords like javascript: and <script in selectors.

chrome-devtools