The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides an eval command that executes arbitrary JavaScript in the browser context. It specifically supports a -b/--base64 flag for executing Base64-encoded scripts. While documented for shell-escaping convenience, this is a standard obfuscation technique that can hide malicious payloads from simple static analysis.- [CREDENTIALS_UNSAFE]: The state save functionality exports session cookies, local storage, and authentication tokens to local JSON files. While the documentation warns against committing these files, the tool provides the primary mechanism for exporting sensitive authentication credentials to the filesystem.- [DATA_EXFILTRATION]: The open command supports the file:// protocol, granting the agent access to read local system files. When combined with extraction tools like screenshot, pdf, or get text, this creates a direct path for exposing local sensitive data.- [COMMAND_EXECUTION]: The --executable-path global option allows the agent to specify an arbitrary local binary to run as the browser. This could be used to execute non-browser binaries or modified browsers with reduced security features.- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data from external websites and returns it to the agent.
Ingestion points: agent-browser get text, agent-browser snapshot, and agent-browser get html (referenced in commands.md).
Boundary markers: None. The tool returns raw text or JSON from the webpage without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has broad capabilities including file writes (screenshot, state save), network manipulation (network route), and arbitrary script execution (eval).
Sanitization: No sanitization or filtering is performed on the extracted web content before it is passed to the agent context.

agent-browser