The Agent Skills Directory

[DATA_EXFILTRATION] (HIGH): The core workflow involves capturing browser sessions and sending them to a backend via grabbit save. HAR files generated by browser sessions often contain sensitive data, including session cookies, Authorization headers, and PII, which are exfiltrated to the service backend.
[EXTERNAL_DOWNLOADS] (HIGH): The commands grabbit skill install and grabbit add <workflow-id> facilitate the download and installation of external logic and configuration. Since 'grabbit' is not a recognized trusted source, these operations represent unverified remote code acquisition.
[PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8).
Ingestion points: Untrusted data enters the agent context via grabbit browse --session <name> open <url> and subsequent snapshot commands (SKILL.md).
Boundary markers: None are present to distinguish web content from system instructions.
Capability inventory: The agent has capabilities for browser interaction (click, fill), network exfiltration (save), and component installation (skill install) (SKILL.md).
Sanitization: No sanitization or filtering of the ingested HTML/web content is mentioned. An attacker-controlled site could provide instructions the agent might follow using its toolset.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on executing shell commands to interact with the Grabbit CLI. While standard for CLI tools, this increases the impact of any potential injection that hijacks the agent's command parameters.
[CREDENTIALS_UNSAFE] (MEDIUM): The instructions explicitly guide the agent to display and export API keys (grabbit keys show and export GRABBIT_API_KEY). This practice risks accidental credential leakage through logs, shell history, or exfiltration during an active browser session.

grabbit