The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted web content which could contain malicious instructions for the agent. * Ingestion points: The agent-browser open, snapshot, and get commands in SKILL.md bring external web content into the agent context. * Boundary markers: There are no delimiters or 'ignore' instructions specified to separate untrusted content from the agent's instructions. * Capability inventory: The agent has extensive permissions via the Bash(agent-browser:*) tool, including JavaScript execution (eval), session data access (cookies, storage), and file system operations (upload, screenshot). * Sanitization: No validation or sanitization of external web data is described.
[COMMAND_EXECUTION]: The skill enables code execution and environment interaction. * The agent-browser eval command allows running arbitrary JavaScript in the browser. * Commands like upload, screenshot, and pdf permit reading from and writing to the local file system.
[DATA_EXFILTRATION]: The skill facilitates the extraction of sensitive session information. * The agent-browser cookies and agent-browser storage local commands can be used to retrieve authentication tokens and other sensitive data from the browser session.

agent-browser