The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements an 'eval' command that allows an agent to execute arbitrary JavaScript code within the browser. This capability is a significant security risk if the agent is tricked into running malicious scripts generated by or retrieved from untrusted sources.
[DATA_EXFILTRATION]: The browser automation tool includes a '--allow-file-access' flag that enables the navigation and reading of local files via the 'file://' protocol. This presents a direct risk of sensitive data exposure, as an agent could be instructed to read and exfiltrate local configuration files, documents, or system data.
[EXTERNAL_DOWNLOADS]: The skill uses 'npx' to execute its core functionality, which triggers the download and execution of software packages from the npm registry at runtime. This introduces a dependency on external code and the security of the npm repository.
[CREDENTIALS_UNSAFE]: The 'auth save' feature provides a mechanism for storing credentials locally in a configuration directory. While the documentation suggests using encryption via an environment variable, the persistence of sensitive login data on the host system increases the risk of credential theft if the machine is compromised.
[PROMPT_INJECTION]: As the tool is designed to process content from arbitrary websites, it is highly vulnerable to indirect prompt injection. Malicious instructions embedded in a website's HTML or text could influence the agent to perform unauthorized actions. Although 'content boundaries' are documented as a mitigation, they are not enabled by default.

agent-browser