The Agent Skills Directory

[COMMAND_EXECUTION]: The eval command in SKILL.md and references/commands.md allows the agent to execute arbitrary JavaScript within the browser context. The inclusion of a base64 flag (-b) allows for the execution of encoded scripts, which can be used to obfuscate malicious logic from logs or simple textual audits.- [DATA_EXFILTRATION]: The skill supports an --allow-file-access flag as documented in SKILL.md. This permission enables the browser to open and read local system files using file:// URLs. If an agent is coerced into opening sensitive files (e.g., SSH keys, configuration files), the content could be read and exfiltrated.- [CREDENTIALS_UNSAFE]: The state save and auth save commands in SKILL.md and references/authentication.md export session cookies, local storage, and credentials to local files (e.g., auth.json). While the skill mentions encryption, these files remain high-value targets for exfiltration and session hijacking.- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8) because its primary function is to ingest and interact with untrusted third-party web content.
Ingestion points: Untrusted data enters the agent's context through snapshot, get text, and get html commands across all reference files.
Boundary markers: The skill provides an opt-in AGENT_BROWSER_CONTENT_BOUNDARIES feature to wrap output, but it is not enforced by default.
Capability inventory: The skill has broad capabilities including full network access, local file writing (screenshot, pdf, state save), and arbitrary code execution (eval).
Sanitization: There is no evidence of automated sanitization or filtering of the content retrieved from web pages before it is processed by the agent.- [EXTERNAL_DOWNLOADS]: The download command in SKILL.md permits the agent to download files from any URL to the local filesystem, which could be exploited to place malicious binaries or scripts on the host machine.

agent-browser