The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill creates a significant attack surface by reading untrusted external web content and providing powerful interaction tools. • Ingestion points: The read_page, get_page_text, and find tools ingest raw or structured data from the browser's DOM and accessibility tree (as documented in references/claude-in-chrome-mcp.md). • Boundary markers: The provided execution patterns and sequential-thinking templates (e.g., resources/sequential-thinking-patterns.md) do not include delimiters or instructions to treat ingested webpage content as untrusted. • Capability inventory: The skill includes high-privilege interaction tools such as navigate, form_input, and computer (mouse/keyboard control) that can be used to execute state-changing operations on the user's behalf. • Sanitization: There is no evidence of sanitization or filtering of the content retrieved from read_page before it is processed by the agent's reasoning engine.
Command Execution (MEDIUM): The computer tool allows the agent to simulate keyboard and mouse events (references/claude-in-chrome-mcp.md). While restricted to the browser context, this could be exploited by an attacker-controlled webpage to trick the agent into clicking sensitive UI elements or inputting data into fields it shouldn't access.

browser-automation