The Agent Skills Directory

[DATA_EXFILTRATION]: The skill performs extensive automated collection of sensitive browser data. The watch.js script records all console messages, errors, and detailed network request/response metadata to the ~/.cache/agent-web/logs directory in JSONL format.
[DATA_EXFILTRATION]: The start.js script includes functionality (triggered by the --profile flag) that uses rsync to copy the user's entire Google Chrome profile—including sensitive credentials, session cookies, and browsing history—into a local cache directory.
[COMMAND_EXECUTION]: Setup and execution scripts (start.js) use execSync and spawn to run shell commands for directory creation, profile synchronization via rsync, and launching the browser process with remote debugging flags.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of processing untrusted web content. Malicious instructions embedded in websites could be interpreted by the agent during tasks involving eval.js or pick.js.
Ingestion points: DOM content and script evaluation results via cdp.js.
Boundary markers: None present in the evaluation or picking logic.
Capability inventory: Arbitrary JS execution (eval.js), browser navigation (nav.js), and background logging (watch.js).
Sanitization: The skill does not perform sanitization or instruction filtering on data retrieved from web pages.

web-browser