The Agent Skills Directory

[INDIRECT PROMPT INJECTION] (HIGH): The skill creates a high-risk surface for indirect prompt injection attacks.
Ingestion points: Untrusted data enters the agent context via agent-browser snapshot and agent-browser get html (SKILL.md).
Boundary markers: There are no boundary markers or instructions to isolate or ignore malicious commands embedded in the retrieved web content.
Capability inventory: The skill provides high-privilege operations including upload (file system access), open (network navigation), and form filling/clicking (side effects).
Sanitization: No sanitization or validation of the external content is performed before the agent processes it.
[DATA_EXFILTRATION] (HIGH): The presence of the agent-browser upload <ref> <file> command combined with the ability to navigate to arbitrary URLs allows the agent to be coerced into uploading sensitive local files (e.g., PDFs, configuration files) to attacker-controlled web endpoints.
[COMMAND_EXECUTION] (HIGH): The tool relies on shell command execution for all browser interactions. If the agent generates these commands using unvalidated strings from untrusted web pages (e.g., a URL or a filename found on a page), it may lead to shell command injection.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires a global installation of the agent-browser npm package and the subsequent download of the Chromium browser binary (agent-browser install). While associated with Vercel, this involves downloading and executing opaque binaries and scripts at runtime.
[DATA_EXPOSURE] (MEDIUM): The skill examples demonstrate accessing internal IP addresses (192.168.150.114:8913). This capability allows the agent to be used for internal network reconnaissance or Server-Side Request Forgery (SSRF) if it follows instructions from a malicious external site.

agent-browser-skill