The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements a persistent per-tab daemon system using subprocess.Popen. This is used to spawn instances of itself (python -m chrome_cdp _daemon <target_id>) to keep CDP sessions alive. The implementation uses list-based arguments and sys.executable, which is a secure pattern that avoids shell injection vulnerabilities.
[PROMPT_INJECTION]: As a tool designed to ingest and process arbitrary web content (HTML, accessibility trees, and network logs), the skill presents a surface for indirect prompt injection. A malicious website could attempt to embed instructions within its source code to influence the agent's behavior.
Ingestion points: Web content is retrieved via html_str, snapshot_str, and net_str in src/chrome_cdp/commands.py.
Boundary markers: No explicit delimiters or 'ignore' instructions are added to the ingested data before presenting it to the agent.
Capability inventory: The skill has extensive capabilities, including navigating to new URLs (nav_str), executing arbitrary JavaScript (eval_str), and clicking UI elements (click_str).
Sanitization: No sanitization is performed on ingested HTML or page structure data. This is standard for browser automation tools, but users should be aware of the inherent risk when interacting with untrusted websites.
[SAFE]: The skill uses Unix domain sockets in /tmp for IPC between the CLI and its daemons. It also reads the DevToolsActivePort file from the Chrome user profile directory to discover the debugger's WebSocket URL. These operations are restricted to the local environment and are necessary for the skill's stated purpose.

chrome-cdp