The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to process content from untrusted external websites. Mandatory Evidence: 1. Ingestion points: Untrusted data enters the agent's context through agent-browser open and snapshot commands (SKILL.md). 2. Boundary markers: There are no delimiters or explicit instructions to ignore embedded commands in retrieved content. 3. Capability inventory: The agent has access to agent-browser subprocess calls (SKILL.md), arbitrary JavaScript execution via eval (references/commands.md), local file access via file:// URLs (SKILL.md), and network operations. 4. Sanitization: No sanitization or filtering of web content is implemented.\n- [DATA_EXFILTRATION]: The skill includes functionality to access and export sensitive session data, such as cookies and local storage, using the agent-browser state save command (references/session-management.md). It also supports local file system access through file:// URLs when the --allow-file-access flag is enabled (SKILL.md).\n- [REMOTE_CODE_EXECUTION]: The agent-browser eval command (references/commands.md) allows for the execution of arbitrary JavaScript within the browser context. The documentation highlights support for base64-encoded input (via the -b flag) and stdin, which are patterns for dynamic code execution that could be leveraged by an attacker if the agent is compromised.\n- [COMMAND_EXECUTION]: The skill exposes a powerful browser automation CLI tool (agent-browser) that enables a wide range of programmatic interactions with websites and the local environment through the Bash environment.

agent-browser