The Agent Skills Directory

Obfuscation (MEDIUM): The tool includes an eval -b flag in references/advanced.md that accepts Base64-encoded strings for JavaScript execution. While documented as a way to avoid shell escaping issues, this functionality directly enables the obfuscation of code intent, making it harder for security monitors to detect malicious scripts being executed in the browser context.
Indirect Prompt Injection (LOW): The tool is specifically designed to feed web data to AI agents, creating a classic indirect prompt injection surface. A malicious website could contain hidden instructions that leverage the tool's capabilities (like file uploading or session theft) to compromise the agent's host environment.
Ingestion points: agent-browser snapshot and agent-browser get text (references/snapshot-refs.md).
Boundary markers: None documented; the tool relies on the agent's ability to distinguish between instructions and data.
Capability inventory: agent-browser upload, agent-browser eval, agent-browser network route, and agent-browser state save (references/advanced.md, references/auth.md).
Sanitization: No mention of sanitizing or escaping the HTML/text content before it is passed to the LLM.
Data Exposure (LOW): The tool provides commands to extract sensitive session data, including agent-browser cookies and agent-browser storage local, as well as the ability to save the entire browser state (including authentication tokens) to local JSON files (agent-browser state save). If not handled with the 'Security Best Practices' mentioned in references/auth.md, these files could lead to credential exposure.
Command Execution (LOW): The eval and upload commands are powerful primitives that allow an agent to execute code in the browser or send local files to remote servers. While inherent to the tool's purpose as a browser automation engine, they represent high-risk capabilities that must be strictly controlled.

browser