The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script browser-cookies.js accesses the Puppeteer browser instance and retrieves all cookies for the active tab, printing their names, values, and security flags to standard output. This facilitates the exposure of session tokens and authentication data.
[CREDENTIALS_UNSAFE]: The script browser-start.js includes a --profile flag that uses rsync to copy the user's entire Google Chrome profile directory from ~/Library/Application Support/Google/Chrome/ to a local cache directory at ~/.cache/browser-tools. This process clones sensitive data including cookies, logins, and session states.
[COMMAND_EXECUTION]: The script browser-eval.js accepts arbitrary strings from command-line arguments and executes them within the browser's context using new AsyncFunction. This allows the agent to execute unvalidated code on any web page.
[COMMAND_EXECUTION]: The script browser-start.js uses execSync to run shell commands (mkdir, rm, rsync) and uses spawn to launch the Chrome binary from a hardcoded path with sensitive flags like --remote-debugging-port=9222.
[DATA_EXFILTRATION]: While the skill does not contain a hardcoded remote exfiltration URL, the combination of browser-cookies.js (extracting tokens) and browser-content.js (reading page data) provides the necessary primitives for an agent to read sensitive user data and potentially pass it to other tools or output it.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
Ingestion points: browser-content.js and browser-hn-scraper.js ingest untrusted content from external websites.
Boundary markers: None are present to distinguish between instructions and data.
Capability inventory: The skill can execute JS (browser-eval.js), navigate to URLs (browser-nav.js), and extract cookies (browser-cookies.js).
Sanitization: Content is converted to markdown using Turndown and Mozilla Readability, but this does not sanitize instructions intended for the LLM.

browser-tools