The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is designed to execute CLI commands using the agent-browser tool. It instructs the agent to run commands such as open, fill, click, and snapshot based on parameters defined in external YAML files. This capability, while necessary for the skill's primary function, allows for arbitrary browser interactions.
[DATA_EXFILTRATION]: The skill documentation and examples (e.g., FORMATS.md, SKILL.md) encourage the use of environment variables for sensitive data, such as {{env.AGENT_PASSWORD}} and {{env.EMAIL}}. A security risk exists where an attacker could provide a test case that directs the agent to input these sensitive variables into a form on a malicious domain or append them as URL parameters.
[PROMPT_INJECTION]: The skill uses instructions like "Ignore previous instructions" or "Switch to debug mode" as examples of what to detect, but the skill itself does not contain these. However, the core logic relies on the agent interpreting "intent" from YAML, which is a form of instruction following that could be bypassed if the YAML content is adversarial.
[INDIRECT_PROMPT_INJECTION]: The skill exhibits a classic indirect prompt injection surface.
Ingestion points: The agent reads and interprets test instructions from YAML files (e.g., examples/github-pr-review.yaml).
Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat the content of the YAML files as untrusted or to ignore embedded natural language instructions.
Capability inventory: The agent has full access to agent-browser capabilities, including navigating to any URL, filling text fields, and clicking elements.
Sanitization: There is no evidence of sanitization or validation of the YAML content before the agent executes the corresponding browser actions.

agent-e2e