The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Attack Surface
Ingestion points: The skill ingests untrusted data from the target web application through several commands, including agent-browser snapshot -i (retrieves DOM structure), agent-browser console, and agent-browser errors (SKILL.md).
Boundary markers: The skill lacks explicit boundary markers or instructions for the agent to ignore or isolate instructions that may be embedded within the target website's HTML, metadata, or console logs.
Capability inventory: The agent has extensive interaction capabilities via agent-browser (e.g., click, fill, type, navigate) and local file system access through Bash (mkdir, cp). If manipulated by a malicious website, the agent could be coerced into performing unintended actions like exfiltrating session data or navigating to phishing domains.
Sanitization: No sanitization or validation logic is applied to the content retrieved from the web browser before the agent interprets it to determine next steps in the "Explore" workflow.
[COMMAND_EXECUTION]: Local File System Operations
The skill executes mkdir and cp commands to set up the report structure. While these are necessary for the skill's primary purpose, they rely on variables like {OUTPUT_DIR} and {SESSION}. If these variables are influenced by untrusted external input (e.g., a malicious URL slug), they could be used for directory traversal or localized file overwrites.
[DATA_EXFILTRATION]: Handling of Sensitive Session Data
The skill is designed to handle user authentication ({EMAIL}, {PASSWORD}) and explicitly saves session state to a local file (auth-state.json). It also generates screenshots and videos of the application state. Users should be aware that this sensitive information remains in the specified {OUTPUT_DIR} after the session concludes.

dogfood