The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill references installation instructions for the required belt CLI tool hosted on the author's public GitHub repository (inference-sh/skills). This is a legitimate resource used for environment setup.
[COMMAND_EXECUTION]: The skill utilizes the execute function to run arbitrary JavaScript code within the context of the browser. This is a core feature for web automation and data extraction tasks.
[COMMAND_EXECUTION]: All browser operations are facilitated through shell command executions of the belt CLI tool, which manages the underlying Playwright sessions.
[CREDENTIALS_UNSAFE]: The skill provides documentation and templates for managing sensitive authentication data, including user login credentials, proxy authentication (username and password), and TOTP secrets for two-factor authentication. The provided examples encourage the use of environment variables rather than hardcoding secrets.
[DATA_EXFILTRATION]: Functions are provided to extract browser state and data, including cookies (via document.cookie), page text, links, and video recordings of sessions. These capabilities are intended for legitimate automation and debugging workflows.
[PROMPT_INJECTION]: The skill's primary function—ingesting and processing content from external web pages—presents a surface for indirect prompt injection.
Ingestion points: Content is retrieved from arbitrary URLs via the open, snapshot, interact, and execute functions.
Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions for the agent when processing extracted web content.
Capability inventory: The agent can perform complex browser actions and execute JavaScript based on its instructions.
Sanitization: There is no mention of automated sanitization or filtering of the content retrieved from web pages before it is passed to the agent.

agent-browser