The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The evaluate.js script allows for the execution of arbitrary JavaScript within the page context using eval(). This presents a significant risk if the agent is directed by an untrusted source to execute specific scripts.
CREDENTIALS_UNSAFE (HIGH): The inject-auth.js script and the shared lib/browser.js utility store sensitive authentication data, including session cookies and bearer tokens, in a plain-text local file named .auth-session.json. These secrets persist for 24 hours and are not encrypted.
PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core functionality.
Ingestion points: Data is ingested from untrusted external websites via snapshot.js (DOM tree), console.js (logs), network.js (traffic), and aria-snapshot.js (accessibility tree).
Boundary markers: None. Ingested data is returned to the agent without delimiters or warnings to ignore embedded instructions.
Capability inventory: The skill has extensive capabilities, including full browser automation, network request monitoring, and arbitrary script execution.
Sanitization: While lib/selector.js attempts to sanitize XPath selectors for common injection patterns, no sanitization is performed on the data scraped from web pages before it is presented to the agent.
COMMAND_EXECUTION (MEDIUM): The install-deps.sh script requires root privileges (sudo) to install a large number of system dependencies. While these are standard for Puppeteer, the execution of package managers with elevated privileges poses a risk of system-wide modification.

test-ui