The Agent Skills Directory

[Data Exposure & Exfiltration] (LOW): The skill handles sensitive authentication tokens (idToken, refreshToken) by appending them to a URL as query parameters. This is a security anti-pattern as tokens in URLs can be leaked through browser history, server logs, or 'Referer' headers.
[Command Execution] (LOW): The skill dynamically assembles shell commands using variables $ID_TOKEN, $REFRESH_TOKEN, and $TARGET_PATH. If these variables contain shell-active characters (e.g., backticks or command substitution sequences), there is a potential for local command injection, although the impact is mitigated by the variables being wrapped in double quotes.
[Indirect Prompt Injection] (LOW): The skill interacts with external/local web content and user-provided URLs, creating a surface for indirect prompt injection.
Ingestion points: URL argument and the redirect parameter.
Boundary markers: None. Content from the target URL is processed without explicit delimiters or instructions to ignore embedded commands.
Capability inventory: Execution of shell commands via agent-browser, including snapshot and screenshot capabilities.
Sanitization: No evidence of input validation or sanitization for the tokens or the redirect path before interpolation into the shell command.

staging-browser-localhost