The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill documentation recommends installing the Lightpanda engine by piping a shell script from an unverified GitHub repository (nichochar/install-lightpanda) directly into bash via curl -fsSL ... | bash. This practice poses a significant risk as it allows for the execution of arbitrary, unvetted code from a third-party source.
[COMMAND_EXECUTION]: The setup instructions facilitate privilege escalation and persistence by detailing how to create system-level services on macOS (LaunchAgents) and Linux (systemd). The Linux instructions specifically require sudo privileges to write to protected directories and reload system configurations, which can be abused to maintain long-term access to the host environment.
[PROMPT_INJECTION]: The skill's primary function—headless browser automation—exposes an indirect prompt injection surface when processing external web content.
Ingestion points: External data is ingested via agent-browser --cdp 9222 open <url> and extraction commands like get text or snapshot in SKILL.md and several template scripts.
Boundary markers: No delimiters or instructions to ignore embedded commands are present in the skill's prompts to protect the agent from malicious website content.
Capability inventory: The skill possesses significant capabilities, including the ability to execute shell commands and manage background processes.
Sanitization: No validation or sanitization of content extracted from web pages is performed before being introduced to the agent's context.

lightpanda-browser