The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process arbitrary content from external websites. Ingestion points: External data enters the agent context through commands like 'agent-browser snapshot', 'agent-browser get text', and 'agent-browser open' (referenced in SKILL.md and templates/capture-workflow.sh). Boundary markers: There are no documented boundary markers or instructions to the agent to ignore embedded commands in the ingested data. Capability inventory: The skill possesses significant capabilities including arbitrary shell command execution via the 'Bash' tool, local file system access via the '--allow-file-access' flag, and JavaScript execution via the 'eval' command. Sanitization: The skill does not implement sanitization or validation of the content retrieved from websites.
[COMMAND_EXECUTION]: The 'agent-browser eval' command enables the execution of arbitrary JavaScript within the browser. The support for Base64 encoded scripts via the '-b' flag (references/commands.md) allows for the execution of obfuscated code, which is a common technique for bypassing security checks.
[DATA_EXFILTRATION]: The inclusion of the '--allow-file-access' flag (SKILL.md) allows the browser to access local files using 'file://' URLs. This capability could be exploited to read sensitive system files if the agent is compromised via prompt injection.
[CREDENTIALS_UNSAFE]: Commands such as 'agent-browser set credentials' and 'agent-browser cookies set' (references/commands.md) involve handling authentication secrets. If used improperly, these secrets could be exposed in shell histories or logs, although the documentation recommends using environment variables as a best practice.

agent-browser