The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The script start.js contains logic to locate and recursively copy the user's local Chrome profile directory (Default folder) to a temporary location when the --profile flag is used. This directory contains highly sensitive information including session cookies, browsing history, and potentially saved passwords.
Evidence in start.js: getUserDataDir() identifies paths like ~/Library/Application Support/Google/Chrome and cpSync(defaultProfile, join(tempProfile, 'Default'), { recursive: true }) performs the copy operation.
Dynamic Execution (MEDIUM): The eval.js script uses the JavaScript eval() function to execute strings provided as command-line arguments within the browser context.
Evidence in eval.js: return await eval((async () => ${expr})());. This allows an agent to execute arbitrary code in the browser, which is particularly dangerous when combined with the authenticated profile cloning.
Indirect Prompt Injection (LOW): The skill provides the ability to navigate to arbitrary external URLs (nav.js) and evaluate script on those pages. This creates a surface where a malicious website could provide instructions that the agent might follow using the high-privilege browser tools provided.
Evidence Chain: Ingestion point in nav.js (external URLs), capability inventory in eval.js (arbitrary JS execution), and missing sanitization/boundary markers when processing page content.

browser