The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on the agent-browser CLI to perform browser actions. This tool has broad capabilities including managing network requests, intercepting traffic, and controlling browser sessions.
[REMOTE_CODE_EXECUTION]: The skill explicitly supports and encourages the use of agent-browser eval to execute arbitrary JavaScript within the browser context. It specifically highlights the use of base64 encoding (-b flag) and stdin to bypass shell escaping, which are common techniques for executing complex or obfuscated payloads.
[DATA_EXFILTRATION]: The tool supports the --allow-file-access flag, enabling the agent to read local system files (e.g., file:///etc/passwd or SSH keys) via the browser. Additionally, the skill manages session state files (auth.json) containing sensitive cookies and localStorage data, which could be targeted for exfiltration.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It ingest untrusted data from the web through commands like snapshot and get text and processes this content without sanitization or boundary markers. This data is then returned to the agent's context where it could contain malicious instructions.
Ingestion points: SKILL.md, references/commands.md (via snapshot, get text, and get html commands).
Boundary markers: None identified in the templates or core instructions to distinguish between tool output and embedded web instructions.
Capability inventory: The agent has access to Bash via the agent-browser CLI, which can perform network requests, file system reads (with specific flags), and arbitrary JS execution (eval).
Sanitization: No evidence of output filtering or escaping of scraped content.
[CREDENTIALS_UNSAFE]: Documentation and templates (templates/authenticated-session.sh) suggest the use of environment variables for credentials (APP_USERNAME, APP_PASSWORD) and persistence of authentication tokens in local JSON files, which may be exposed if the environment is compromised.

agent-browser