The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill instructs the agent to perform manual login steps, including typing the user's email and password into input fields using browser_type (SKILL.md, Step 3). Credentials handled in this manner are typically recorded in cleartext in the agent's execution logs or tool-call history, creating a high risk of credential exposure.
[DATA_EXFILTRATION] (HIGH): The primary data acquisition method is browser_snapshot. This tool captures the entire visual state of the page. When the agent is logged into ChatGPT Plus or Gemini Advanced, these snapshots will contain sensitive information such as personal chat history, account metadata, and potentially session tokens. If these logs are stored or transmitted insecurely, it results in the exfiltration of private user data.
[COMMAND_EXECUTION] (MEDIUM): The skill provides a set of low-level browser primitives (browser_click, browser_navigate, browser_type). While these are necessary for the stated purpose, they grant the agent the ability to perform arbitrary actions within a browser session, which could be exploited to perform unauthorized actions on the user's behalf if the agent is misdirected.
[INDIRECT_PROMPT_INJECTION] (LOW):
Ingestion points: External content is ingested via browser_snapshot from chat.openai.com and gemini.google.com (File: SKILL.md).
Boundary markers: Absent. The instructions do not define clear delimiters or "ignore" instructions for the captured text.
Capability inventory: The agent can navigate to arbitrary URLs, click elements, and type text (SKILL.md).
Sanitization: Absent. The skill captures the response text and processes it directly without filtering or escaping.

browser-automation