The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill inherits and reuses the user's existing Chrome login sessions, enabling the agent to access and interact with any website where the user is currently authenticated, including highly sensitive accounts such as email, banking, or corporate tools.
[REMOTE_CODE_EXECUTION]: The tool provides an eval command that allows the execution of arbitrary JavaScript within the browser. Additionally, the 'sedimentation' workflow instructs the agent to use the Write tool to create TypeScript files in the local ~/.opencli/clis/ directory and subsequently execute them as new CLI commands.
[DATA_EXFILTRATION]: The skill provides extensive data extraction capabilities through commands like network, state, and eval, which can be used to capture authenticated API responses, sensitive form data, and private page content.
[COMMAND_EXECUTION]: The skill relies on the execution of the opencli command-line utility via a shell, granting the agent powerful control over the browser and the underlying host environment.
[PROMPT_INJECTION]: The instructions include 'Critical Rules' that use absolute language ('ALWAYS', 'NEVER') to override the agent's default safety or operational guidelines and mandate specific tool interactions.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it reads and processes untrusted content from the internet (via state, get html, and network) while possessing high-privilege capabilities such as shell access and local file system modification. Ingestion points include browser state and network logs; no boundary markers or sanitization mechanisms are defined.

qiaomu-opencli-browser