The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions include numerous shell commands using tools like curl, lightpanda, and agent-browser for web interaction and data processing.
[COMMAND_EXECUTION]: In the references/tool-setup.md file, the workflow recommends using sudo to move the lightpanda binary to /usr/local/bin/, which constitutes a privilege escalation risk.
[EXTERNAL_DOWNLOADS]: The skill directs users to download executable binaries from a non-trusted GitHub repository (lightpanda-io/browser). Evidence found in references/tool-setup.md: curl -L -o lightpanda https://github.com/lightpanda-io/browser/releases/download/0.2.9/lightpanda-x86_64-linux.
[DATA_EXFILTRATION]: The skill provides instructions for extracting browser cookies via the evaluate tool and using them with curl to fetch protected resources. This capability, while functional for authenticated browsing, could be leveraged to exfiltrate session data to arbitrary domains.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of ingesting untrusted web data.
Ingestion points: Web pages fetched via WebFetch, Lightpanda, or Playwright as described in SKILL.md and references/extraction-patterns.md.
Boundary markers: Absent. No specific delimiters or instructions to ignore embedded commands are mandated for processed content.
Capability inventory: Significant local capabilities including shell access (curl), file system writes (> extracted.md), and browser automation (click, fill, evaluate).
Sanitization: Absent. The skill does not mention escaping or sanitizing fetched content before presenting it to the agent context.

browse