The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides an eval command that allows the agent to execute arbitrary JavaScript within the browser context. This capability can be used to manipulate page state or access sensitive data stored in the browser session, such as cookies or local storage.
[EXTERNAL_DOWNLOADS]: Installation instructions guide the user to configure a private npm registry (https://git.bqa-solutions.nl/api/packages/reflex/npm/) and install a global package (@reflexautomation/browser-cli). This involves downloading and executing binaries from a non-standard, vendor-controlled source.
[REMOTE_CODE_EXECUTION]: The eval <javascript> functionality facilitates dynamic code execution, which poses a risk if the agent is directed to run untrusted scripts or if malicious content on a webpage influences the script's generation.
[DATA_EXFILTRATION]: Commands such as screenshot, html, and text are designed to extract data from web pages. While these are intended features for automation, they provide a mechanism for capturing and extracting potentially sensitive information from a user's browser environment.
[PROMPT_INJECTION]: As the skill interacts with live web content, it is vulnerable to indirect prompt injection. Malicious instructions embedded in websites could attempt to hijack the agent's logic during an automation session.
Ingestion points: Data retrieved from the browser via summary, html, and text commands.
Boundary markers: There are no explicit delimiters or instructions provided to separate web content from the agent's operational logic.
Capability inventory: Use of the reflex-browser CLI tool, execution of JavaScript via eval, and browser session manipulation.
Sanitization: No validation or sanitization of extracted web content is defined before the data is processed by the agent.

reflex-browser