The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it is designed to ingest and act upon data from untrusted external websites.
Ingestion points: The tools take_snapshot, list_network_requests, and list_console_messages pull content directly from active web pages into the agent's context.
Boundary markers: Absent. There are no instructions to the agent to treat page content as untrusted or to use delimiters to separate instructions from data.
Capability inventory: The skill possesses powerful capabilities including evaluate_script (arbitrary JS execution), upload_file (filesystem interaction), and form-filling interactions.
Sanitization: Absent. There is no mention of sanitizing web data before using it to generate interaction logic or scripts.
REMOTE_CODE_EXECUTION (HIGH): The evaluate_script tool allows for the execution of arbitrary code within the browser context. This is a primary target for attackers who can place malicious instructions on a webpage to trick the agent into running JS that steals credentials or performs cross-site actions.
DATA_EXFILTRATION (HIGH): Tools like list_network_requests and evaluate_script can be used to extract sensitive session data, such as cookies, Bearer tokens, and local storage. This data can be exfiltrated by sending it to an external endpoint controlled by an attacker.
COMMAND_EXECUTION (MEDIUM): The browser automation tools (click, fill, handle_dialog) allow the agent to perform actions on behalf of the user. If the browser is authenticated to internal or private services, a malicious prompt can result in unauthorized transactions or data modification.

chrome-devtools