The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill uses execSync and exec to run system shell commands for process management (lsof, kill) and container operations (docker) within server.sh and scripts/start-server.ts.
[EXTERNAL_DOWNLOADS] (HIGH): At runtime, the skill dynamically installs the patchright npm package and Playwright browser binaries, and pulls the FlareSolverr Docker image. These external assets are not pinned to specific versions in the manifest.
[REMOTE_CODE_EXECUTION] (HIGH): The capability to execute arbitrary JavaScript in the browser via page.evaluate while interacting with untrusted websites creates a direct vector for remote code execution.
[DATA_EXFILTRATION] (MEDIUM): Sensitive browser data, including cookies and session headers, are stored in local directories (profiles/ and tmp/), which could be targeted for exfiltration if the agent is compromised.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8). It ingests untrusted web content (via page.goto and response listeners) without boundary markers or sanitization, while possessing high-privilege capabilities such as shell execution and file manipulation. Evidence: Ingestion points: page.goto, FlareSolverrClient.solveUrl, and network request/response listeners. Boundary markers: None present. Capability inventory: System command execution (execSync), file system access (fs.writeFileSync), and network operations (fetch). Sanitization: No sanitization of ingested content before processing.

dev-browser