The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides a comprehensive CLI tool called agent-browser that enables the agent to perform a wide range of browser actions, including DOM manipulation, form interaction, and network routing intercepting.
[REMOTE_CODE_EXECUTION]: The skill includes an eval command that allows for the execution of arbitrary JavaScript within the context of the current web page. Additionally, the --executable-path flag allows the agent to specify and execute any binary on the system as the browser process.
[DATA_EXFILTRATION]: The tool provides direct access to sensitive browsing data through commands like cookies, storage local, and get html, which can be used to extract session tokens, local database contents, and private user information from web pages.
[CREDENTIALS_UNSAFE]: The skill facilitates the use and persistence of sensitive credentials via the set credentials command and the state save feature, which exports authentication states and cookies to local JSON files.
[PROMPT_INJECTION]: The skill creates a significant surface for indirect prompt injection because it ingests and processes untrusted content from the web and presents it to the agent without isolation. * Ingestion points: Web content is ingested via agent-browser snapshot, get text, and get html commands (found in SKILL.md and references/snapshot-refs.md). * Boundary markers: There are no boundary markers or instructions to ignore embedded commands provided when the agent receives content from the browser. * Capability inventory: The agent has access to dangerous capabilities while processing this untrusted data, including JavaScript execution (eval), session token access (cookies), and network manipulation (network route). * Sanitization: No sanitization or validation of the ingested web content is performed before it is added to the agent's context.

agent-browser