The Agent Skills Directory

[Indirect Prompt Injection] (LOW): This skill exposes a significant attack surface for indirect prompt injection by processing untrusted data from the internet.
Ingestion points: The skill uses agent-browser open, agent-browser snapshot, and agent-browser get text (as seen in SKILL.md and references/snapshot-refs.md) to pull external web content into the agent's context.
Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within web pages are provided in the skill definition.
Capability inventory: The skill possesses high-privilege tools including agent-browser eval (JavaScript execution), agent-browser upload (local file read), and agent-browser screenshot/pdf (file system writes).
Sanitization: No sanitization or validation of the ingested web content is performed before processing.
[Dynamic Execution] (MEDIUM): The agent-browser eval command allows the agent to execute arbitrary JavaScript within the browser environment.
Evidence: references/commands.md documents the eval command, including an option for executing Base64 encoded strings (-b/--base64), which can be used to bypass static analysis or conceal malicious logic.
[External Downloads] (MEDIUM): The skill documentation encourages the installation of external packages not included in the trusted list.
Evidence: SKILL.md specifies requirements for appium via npm install -g appium for mobile browser automation.

agent-browser