The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (CRITICAL): The "agent-browser eval" command allows execution of arbitrary JavaScript. Specifically, the "-b" or "--base64" flag enables execution of base64-encoded scripts, which is a direct mechanism for obfuscated code execution and bypasses safety monitoring. Evidence in "references/commands.md".
[DATA_EXFILTRATION] (HIGH): The skill provides "--allow-file-access" for the "open" command, allowing the agent to read local files (e.g., "file:///etc/passwd"). Combined with the ability to navigate to attacker-controlled URLs and perform "screenshot" or "get text", this enables local data exfiltration. Evidence in "SKILL.md".
[CREDENTIALS_UNSAFE] (HIGH): The "agent-browser state save" command exports sensitive session data, including cookies and local storage, to plain JSON files. This leads to credential exposure and session hijacking. Evidence in "references/session-management.md".
[COMMAND_EXECUTION] (HIGH): The skill documentation encourages using "agent-browser" within bash scripts and templates, creating a surface for command injection if the agent interpolates untrusted web data into shell commands. Evidence in "templates/authenticated-session.sh".
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill's primary function is to ingest untrusted external web content. It lacks boundary markers or sanitization while possessing high-privilege capabilities like JavaScript evaluation. 1. Ingestion points: "open ", "snapshot" in "SKILL.md". 2. Boundary markers: Absent. 3. Capability inventory: "eval", "click", "fill", "screenshot" in "references/commands.md". 4. Sanitization: Absent.

agent-browser