The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/start.js script executes aggressive shell commands via execSync to kill all running Chrome processes (killall 'Google Chrome') and create directories.
[DATA_EXFILTRATION]: While no external network exfiltration was found, scripts/start.js contains logic to copy the user's entire local Chrome profile (including sensitive data like cookies, history, and stored logins) from standard macOS paths to a skill-managed cache directory (~/.cache/scraping) using rsync when the --profile flag is used.
[COMMAND_EXECUTION]: The scripts/eval.js script allows for the execution of arbitrary JavaScript within the browser's context via the Chrome DevTools Protocol (CDP). This is a powerful capability that could be abused if the agent receives malicious instructions from a website.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
Ingestion points: Browsing arbitrary external websites via scripts/nav.js.
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands in the processed web content.
Capability inventory: Full browser control (clicking, navigation), arbitrary JavaScript execution (eval.js), screenshot capture (screenshot.js), and local logging of network and console activity (watch.js).
Sanitization: None. The automation scripts interact directly with the DOM and execute code without filtering or validation.

web-browser