The Agent Skills Directory

[COMMAND_EXECUTION]: The screenshot.js script is vulnerable to shell command injection through the --output argument. The script constructs command strings for ImageMagick by directly interpolating the output file path (e.g., compressionCmd = \magick "${filePath}" ...`) and executing them via execSyncwithout sanitization. Evidence:scripts/screenshot.js`.
[REMOTE_CODE_EXECUTION]: The evaluate.js script allows arbitrary JavaScript execution in the browser context using eval(). This poses a risk if the agent processes untrusted code strings from a visited web page. Evidence: scripts/evaluate.js.
[COMMAND_EXECUTION]: The install-deps.sh script uses sudo to install system packages and libraries, which requires the user to grant root-level permissions during setup. Evidence: scripts/install-deps.sh.
[EXTERNAL_DOWNLOADS]: The skill installation process automates the downloading of third-party packages from the NPM registry and system dependencies from official OS repositories. Evidence: scripts/install.sh.
[DATA_EXFILTRATION]: Scripts such as network.js and console.js can monitor and capture sensitive browser data, including network headers, POST payloads, and console logs, and store them in local files. Evidence: scripts/network.js.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external websites without using boundary markers. Malicious content on a web page could potentially manipulate the agent's browser automation tasks. Ingestion point: Web pages via navigate.js; Boundary markers: Absent; Capability inventory: evaluate.js (JS execution), screenshot.js (shell access via injection); Sanitization: Absent for page-derived data. Evidence: SKILL.md.

chrome-devtools