The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The documentation instructs users and agents to execute a remote shell script using the command curl -fsSL https://browser-use.com/profile.sh | sh. This practice of piping remote content directly to a shell is dangerous as it executes unverified code on the host machine. This pattern appears in both the quickstart and sessions reference files.\n- [EXTERNAL_DOWNLOADS]: The skill documents the installation of external software packages from public registries, including the browser-use-sdk for Python and TypeScript, and the browser-use[cli] package. These represent external code dependencies required for the platform's functionality.\n- [COMMAND_EXECUTION]: The documentation provides extensive examples of shell commands, including complex cURL requests and direct CLI tool invocations for browser automation. An agent with terminal access could follow these examples to execute commands on the local system.\n- [CREDENTIALS_UNSAFE]: The documentation for direct CDP access (Browser API) specifies that authentication is performed by passing the API key as a query parameter in WebSocket and HTTPS URLs (e.g., wss://connect.browser-use.com?apiKey=...). Passing sensitive credentials in URLs is a security risk as they are often captured in cleartext by server logs, proxies, and browser history.\n- [PROMPT_INJECTION]: The skill documents an interface for autonomous agents that ingest and process untrusted web content from the internet. This creates an indirect prompt injection surface. Evidence Chain: 1. Ingestion points: The run() and POST /tasks endpoints (documented in references/api-v2.md and references/api-v3.md) accept task prompts that are executed against external web data. 2. Boundary markers: No explicit boundary markers or isolation instructions for user prompts vs. web content are described in the API documentation. 3. Capability inventory: The agent has capabilities for browser interaction, file I/O via workspaces, and integration with third-party services like Slack and email. 4. Sanitization: No sanitization or filtering of external web content before processing is mentioned.

cloud