The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The tools/start.js script contains logic to copy the user's full Google Chrome profile (including sessions, cookies, and stored credentials) from ~/Library/Application Support/Google/Chrome/ to a cache directory using rsync. This exposes highly sensitive data to the agent and any website it visits.
[Command Execution] (HIGH): tools/start.js utilizes execSync to perform shell operations such as killall, mkdir, and rsync. Executing shell commands with direct access to the filesystem is a high-risk pattern.
[Dynamic Execution] (MEDIUM): tools/eval.js uses new AsyncFunction to execute arbitrary string-based JavaScript within the browser context. While intended for automation, this allows a subverted agent or malicious website content to execute arbitrary code in the browser session.
[Indirect Prompt Injection] (LOW): As a web-browsing tool, this skill is vulnerable to instructions hidden in third-party web content. Malicious sites could attempt to hijack the agent's flow via the DOM data it processes.
Ingestion points: tools/pick.js (extracts text and outerHTML), tools/eval.js (reads DOM values).
Boundary markers: Absent; no delimiters or warnings are used to separate untrusted web content from instructions.
Capability inventory: Browser navigation (nav.js), arbitrary JS execution (eval.js), and simulated user interaction (pick.js).
Sanitization: Absent; the skill extracts and returns raw HTML/text from external pages.

web-browser