The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's primary operational mode involves the agent writing and executing arbitrary TypeScript/JavaScript code locally via npx tsx and shell commands (documented in SKILL.md and implemented in server.sh).
[EXTERNAL_DOWNLOADS]: The scripts/start-server.ts script automatically executes npm install and playwright install chromium to fetch external binaries and libraries. Additionally, SKILL.md directs users to download a browser extension from an untrusted GitHub repository (SawyerHood/dev-browser).
[DATA_EXFILTRATION]: The 'Extension Mode' described in SKILL.md and implemented in src/relay.ts grants the agent control over the user's actual browser session, providing access to cookies, saved passwords, and authenticated web applications. This presents a significant risk of sensitive data exposure if the agent is coerced into navigating to malicious sites or replaying API requests to attacker-controlled servers.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. The getAISnapshot function in src/client.ts and the associated injection logic in src/snapshot/browser-script.ts read and process the full accessibility tree of any website the agent visits. Malicious instructions embedded in a webpage's HTML or metadata could be interpreted as commands by the agent.
[DYNAMIC_EXECUTION]: The system uses eval() inside page.evaluate() within src/client.ts and src/snapshot/__tests__/snapshot.test.ts to execute bundled snapshot logic. The entire workflow relies on the runtime generation and execution of scripts (Category 10).

dev-browser