The Agent Skills Directory

Data Exposure & Exfiltration (LOW): The skill facilitates the generation of session state files (e.g., auth-state.json) that store sensitive authentication cookies and localStorage data. While documentation provides best practices for securing these files, their existence poses a risk of credential exposure if handled improperly (e.g., committed to a repository).
Evidence: templates/authenticated-session.sh and references/session-management.md describe saving and loading state files.
Dynamic Execution (LOW): The tool provides an eval command that can execute arbitrary JavaScript within the browser context, including via Base64-encoded strings. While documented as a feature for shell compatibility, this remains a high-capability vector for executing unverified code.
Evidence: references/commands.md documents agent-browser eval -b "".
Indirect Prompt Injection (LOW): The skill is designed to ingest and process content from arbitrary URLs, creating a surface for indirect prompt injection attacks where malicious web content could influence agent behavior.
Ingestion points: templates/capture-workflow.sh (text extraction) and references/snapshot-refs.md (element structure analysis).
Boundary markers: Absent. Ingested content is not explicitly delimited or marked as untrusted.
Capability inventory: Full browser interaction (clicking, typing), file system writes (screenshots, PDFs), and network access.
Sanitization: Absent. No sanitization or filtering of web content is demonstrated in the provided templates.

agent-browser