The Agent Skills Directory

[COMMAND_EXECUTION]: The skill enables extensive shell-based interaction with a browser daemon, supporting complex workflows including navigation, DOM manipulation, file uploads, and system clipboard access.
[REMOTE_CODE_EXECUTION]: The eval command allows the execution of arbitrary JavaScript within the browser context. The -b or --base64 flag facilitates the execution of encoded scripts, which can be used to hide malicious intent from static analysis.
[CREDENTIALS_UNSAFE]: Browser session states, including cookies and local storage, are saved in plaintext JSON files by default. While encryption is supported via environment variables, the default behavior risks exposing sensitive session tokens. Additionally, the skill encourages connecting to browsers via --remote-debugging-port, which exposes the browser to any local process.
[DATA_EXFILTRATION]: The skill provides numerous tools for extracting data from the browser (e.g., get text, snapshot, screenshot, network requests), which can be used to harvest sensitive information from authenticated sessions.
[PROMPT_INJECTION]: As the tool is designed to navigate and extract data from arbitrary websites, it is susceptible to indirect prompt injection where a malicious website provides instructions to the agent.
Ingestion points: Web content extracted via snapshot, get text, and screenshot across multiple files (SKILL.md, references/snapshot-refs.md).
Boundary markers: The skill offers an optional AGENT_BROWSER_CONTENT_BOUNDARIES feature to wrap output, but it is not enabled by default.
Capability inventory: The agent has access to high-impact capabilities including eval for script execution, fill/click for form interaction, and state save for credential persistence.
Sanitization: No default sanitization or filtering is applied to the page content returned to the agent.
[SAFE]: Instructions for installing the core CLI tool and its dependencies use standard package managers (npm, cargo, brew).

agent-browser