The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documents an installation procedure that involves piping a remote script directly into a shell context.
Evidence: curl -fsSL https://cli.inference.sh | sh in SKILL.md.
Note: This script originates from the vendor's official domain.
[COMMAND_EXECUTION]: The skill exposes a function that allows for the execution of arbitrary JavaScript code within the browser context.
Evidence: The execute function documented in references/commands.md and SKILL.md allows users to provide and run custom JS strings.
[DATA_EXFILTRATION]: The documentation provides guidance and code snippets for extracting sensitive information from the browser context, such as cookies and performance resource entries.
Evidence: The "Cookie Extraction" section in references/authentication.md demonstrates how to use the execute function to retrieve document.cookie.
[PROMPT_INJECTION]: The skill functions as a gateway to untrusted web content, presenting a surface for indirect prompt injection attacks.
Ingestion points: Functions like open, snapshot, and execute return raw or structured content from arbitrary URLs (e.g., elements_text in SKILL.md and document.body.innerText in templates/capture-workflow.sh).
Boundary markers: There are no explicit boundary markers or instructions provided to the agent to treat the ingested web content as untrusted or to ignore embedded instructions.
Capability inventory: The infsh tool provides extensive browser automation capabilities, which could be misdirected by injected instructions from a malicious website.
Sanitization: No sanitization, filtering, or validation of the content retrieved from external websites is performed before it is passed to the agent context.

agent-browser