The Agent Skills Directory

[COMMAND_EXECUTION]: The core runner logic in references/runner/src/browser.ts, examples/splunk-itsi-admin/run.mjs, and examples/revspin/run_revspin_durable.py interfaces with the agent-browser CLI using shell-executed commands.
The commands are constructed using template strings that interpolate URLs and CSS selectors (e.g., agent-browser open "${url}") without shell-character sanitization.
This allows for command injection if a URL or selector contains shell metacharacters (e.g., "; malicious_cmd; "), enabling arbitrary system command execution.
[REMOTE_CODE_EXECUTION]: The skill implements a dynamic plugin architecture in references/runner/src/hooks.ts that uses import() to load JavaScript/TypeScript modules from paths defined in the scraper profile or CLI arguments.
This mechanism allows for the execution of arbitrary local files if the configuration path is manipulated.
[PROMPT_INJECTION]: As a web scraping tool, the skill's primary function is to ingest and process untrusted data from external websites.
There is a high risk of indirect prompt injection where malicious instructions embedded in a scraped page could influence the agent to generate a scraping profile that exploits the command injection or dynamic loading vulnerabilities identified above.
While the skill uses escapeJs for browser-side JavaScript interpolation and cheerio for HTML cleaning, these measures do not protect the host system from the shell injection flaws in the CLI wrapper.

wise-scraper