The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from the web.
Ingestion points: Data enters the agent context through page snapshots (via take_snapshot), console messages (via list_console_messages), and network request details (via get_network_request) extracted from visited websites in SKILL.md.
Boundary markers: The instructions lack delimiters or explicit directives for the agent to ignore instructions embedded within the data retrieved from external sources.
Capability inventory: The skill provides high-privilege capabilities including reading files (upload_file), writing files (take_screenshot, take_snapshot, performance_stop_trace, get_network_request), navigating to arbitrary URLs, and executing arbitrary JavaScript (evaluate_script) in SKILL.md.
Sanitization: There is no evidence of data sanitization or validation of the content ingested from the browser before it is processed by the agent.
[EXTERNAL_DOWNLOADS]: The installation guide in references/installation.md directs users to download and install the chrome-devtools-mcp package globally from the public NPM registry.
[REMOTE_CODE_EXECUTION]: The evaluate_script command in SKILL.md allows for the execution of arbitrary JavaScript code within the browser context. This is a primary feature of the tool but poses a risk if an attacker can influence the scripts being run via indirect injection.
[COMMAND_EXECUTION]: The skill relies on executing the chrome-devtools CLI tool to perform all operations, including those that interact with the local filesystem for saving snapshots, traces, and screenshots.
[DATA_EXFILTRATION]: The tool includes capabilities to read local files (via upload_file) and write data to files (via screenshots and traces). If an agent is compromised via indirect injection, these features could be leveraged to access or exfiltrate sensitive local information.

chrome-devtools-cli