The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies extensively on the infsh (inference-sh) CLI to perform browser actions. All functions such as open, snapshot, and interact are executed as shell commands through this vendor-provided tool.
[REMOTE_CODE_EXECUTION]: The execute function enables the execution of arbitrary JavaScript code within the context of the active browser session. While this is a primary feature of the tool, it represents a dynamic code execution surface.
[DATA_EXFILTRATION]: The interact tool includes an upload action capable of sending local files to remote web forms. Additionally, functions like snapshot and execute facilitate the extraction of sensitive information, such as cookies or page content, from the browser session.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from the web while maintaining powerful capabilities. An attacker-controlled website could potentially provide instructions that the agent might follow.
Ingestion points: External web data is ingested into the agent context via the open, snapshot, and interact functions.
Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used to separate untrusted web content from the agent's system instructions.
Capability inventory: The skill allows file uploads, arbitrary JavaScript execution, and form submission.
Sanitization: There is no evidence of sanitization or filtering of the external content before it is processed by the agent.
[CREDENTIALS_UNSAFE]: Documentation and templates (e.g., references/authentication.md, templates/authenticated-session.sh) provide patterns for handling authentication. While they correctly advise using environment variables instead of hardcoding, these workflows involve the handling of sensitive credentials within the agent's operational environment.

agent-browser