The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The script scripts/video.js uses execSync to run ffmpeg with unsanitized string interpolation for the outputPath and fps arguments. An attacker providing a malicious filename (e.g., via an agent's task) could break out of the command and execute arbitrary shell commands on the host.
[REMOTE_CODE_EXECUTION] (HIGH): The scripts/cdp-client.js library uses unsafe string interpolation to build JavaScript expressions for Runtime.evaluate. Specifically, the type, click, and scroll functions do not escape single quotes in selectors or text inputs. This allows for arbitrary JavaScript injection into the target browser page context.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill is designed to ingest untrusted data from the web (via page navigation and HTML extraction) and has high-privilege capabilities (file writing, shell command execution, and browser JS execution). The lack of sanitization in the interaction functions (type, click) and the shell execution in video.js creates a significant attack surface for malicious web content to influence the agent's host environment.
Ingestion points: process.argv (CLI arguments for URLs and paths) and remote web content processed via getHTML() and getText() in scripts/cdp-client.js.
Boundary markers: Absent. The prompt instructions do not include delimiters or instructions to ignore embedded commands in the processed web data.
Capability inventory: child_process.execSync (in video.js), fs.writeFileSync (in screenshot.js and video.js), and Runtime.evaluate (across all scripts).
Sanitization: Absent. Input is directly interpolated into shell commands and JavaScript strings.

cloudflare-browser