The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides an eval command that enables the execution of arbitrary JavaScript within the browser context. This includes a --base64 option for executing Base64-encoded strings, which could be used to obfuscate malicious scripts and bypass basic text-based detection.
[DATA_EXFILTRATION]: Use of the --allow-file-access flag with the open command allows the browser to navigate to and read local system files (e.g., file:///etc/passwd). This presents a significant risk of sensitive data exposure if the agent is directed to access local paths. The skill also facilitates the extraction and saving of session cookies and localStorage data to disk.
[EXTERNAL_DOWNLOADS]: The skill instructions utilize npx to dynamically download and execute the agent-browser package from the NPM registry at runtime. It also references the installation of appium for mobile simulation tasks.
[COMMAND_EXECUTION]: The tool relies on shell command execution for its primary operations. Provided script templates (authenticated-session.sh) are designed to process environment variables that may contain sensitive user credentials such as APP_PASSWORD.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing content from untrusted websites.
Ingestion points: Data from the web enters the agent context via commands like snapshot and get text after navigating with agent-browser open (referenced in SKILL.md and capture-workflow.sh).
Boundary markers: The skill provides an opt-in security feature (--content-boundaries) to wrap tool outputs in markers, helping the LLM distinguish between page content and instructions.
Capability inventory: The skill has extensive capabilities including arbitrary script execution (eval), file downloads (download), and state management (state save).
Sanitization: No automatic sanitization of extracted web content is implemented; the skill relies on the optional boundary markers to manage untrusted input.

agent-browser