The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests data from external applications (Slack, Discord, VS Code) which may contain instructions designed to manipulate the agent. * Ingestion points: agent-browser snapshot and agent-browser get text in SKILL.md. * Boundary markers: No markers or 'ignore' instructions are present to delimit untrusted application content. * Capability inventory: The agent has the ability to click, type, and execute shell commands through the allowed-tools configuration. * Sanitization: No sanitization or validation of application content is performed.
[COMMAND_EXECUTION]: The skill provides instructions to launch native applications with the --remote-debugging-port flag. This exposes the application's internal Chrome DevTools Protocol (CDP) interface on a local network port, which could be exploited by other processes on the same system to gain control or access data.
[DATA_EXFILTRATION]: By automating sensitive applications like Slack or VS Code, the agent can programmatically access private messages, source code, and configuration files via snapshot and screenshot commands, creating a pathway for sensitive data exposure.

electron