The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill exposes an eval command that allows the execution of arbitrary JavaScript within the browser's context.
Evidence: SKILL.md and references/commands.md document the agent-browser eval command, including support for stdin and Base64 encoded scripts to bypass shell interpretation issues.
[DATA_EXFILTRATION]: The tool includes commands to access, save, and manage sensitive session data such as cookies and local storage.
Evidence: references/session-management.md and references/authentication.md describe state save, cookies, and storage local commands used to persist and export authentication tokens.
[DATA_EXFILTRATION]: Local filesystem access is explicitly supported through browser flags and protocols.
Evidence: SKILL.md describes the use of the --allow-file-access flag and file:// protocol to open and process local documents.
[EXTERNAL_DOWNLOADS]: The skill uses npx to run the browser automation tool and references the installation of external mobile drivers.
Evidence: SKILL.md specifies allowed-tools as npx agent-browser:* and mentions installing appium for iOS simulator support.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes content from untrusted external websites.
Ingestion points: agent-browser open <url> and agent-browser snapshot (found in SKILL.md).
Boundary markers: None identified; the agent uses accessibility tree snapshots which include text content from the page.
Capability inventory: High-risk capabilities include click, fill, eval, and state save (found in references/commands.md).
Sanitization: No sanitization or safety filtering of web content is documented before it is passed to the agent's context.

agent-browser