The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs the user to install a global package from a non-standard NPM registry (https://git.bqa-solutions.nl/api/packages/reflex/npm/). This registry is not part of the trusted vendors list or well-known services, posing a supply chain risk.
[COMMAND_EXECUTION]: The skill operates by launching a persistent CLI process (reflex-browser), which creates a direct interface for the agent to execute shell-level automation commands on the host system.
[REMOTE_CODE_EXECUTION]: The eval command (documented in references/commands.md) allows for arbitrary JavaScript execution within the active browser context. This capability can be used to bypass security controls or perform unauthorized actions on behalf of the user.
[DATA_EXFILTRATION]: Capabilities such as screenshot, html, and source enable the agent to capture and transmit sensitive data from web pages, including authenticated sessions and internal URLs.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to its core functionality. 1. Ingestion points: The agent reads untrusted data from the web using open, text, and summary commands. 2. Boundary markers: No delimiters or protective instructions are provided to help the agent distinguish between web content and its own rules. 3. Capability inventory: The skill provides high-impact tools like eval, click, and fill that can be manipulated by malicious web content. 4. Sanitization: No input validation or filtering of external content is present in the skill definition.

reflex-browser-cli