The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (CRITICAL): The skill documentation recommends an insecure installation method for its CLI tool.
Evidence: The command curl -fsSL https://cli.inference.sh | sh downloads and executes a script from an untrusted domain without any cryptographic verification or user review, allowing the remote server to execute arbitrary code with the user's shell privileges.
Dynamic Execution (HIGH): The skill provides an execute function that allows the agent to run arbitrary JavaScript code within the browser context.
Evidence: In SKILL.md, the execute function accepts a code string that is executed via the browser automation backend. This could be used to bypass security policies or interact with sensitive page data if the agent is manipulated.
Indirect Prompt Injection (LOW): The skill is highly vulnerable to indirect prompt injection due to its core browsing capabilities.
Ingestion points: The open and snapshot functions allow the agent to ingest arbitrary content from any URL.
Boundary markers: Absent. There are no instructions or delimiters defined to prevent the agent from following commands embedded in the web content.
Capability inventory: The skill has significant capabilities including Bash(infsh *) tool access, file upload actions, and arbitrary JavaScript execute calls.
Sanitization: Absent. The skill does not provide any mechanism to filter or sanitize content retrieved from the web before the agent processes it.
Data Exposure & Exfiltration (MEDIUM): The skill facilitates the handling of sensitive data such as proxy credentials and local files.
Evidence: Support for proxy_username, proxy_password, and an upload action for file paths in tool inputs increases the risk of exfiltrating sensitive local data or exposing credentials in logs.

agentic-browser