The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/start.js executes multiple system commands, including killall 'Google Chrome' to terminate existing instances and rsync to synchronize profile data. It also uses spawn to launch the browser with remote debugging enabled and to start a background watcher script. Additionally, scripts/eval.js provides a mechanism for the agent to execute arbitrary JavaScript within the browser context via CDP.
[DATA_EXFILTRATION]: The skill implements persistent background logging through scripts/watch.js. It captures and writes all network requests, responses, console logs, and JavaScript exceptions to JSONL files in the user's home directory (~/.cache/agent-web/logs). This activity may result in the exposure of sensitive data transmitted or logged during browsing sessions.
[CREDENTIALS_UNSAFE]: In scripts/start.js, the --profile option facilitates the copying of the user's private browser data. It uses rsync to duplicate the entire Chrome profile directory—which contains authentication cookies, saved logins, and browsing history—from ~/Library/Application Support/Google/Chrome/ to a local cache directory accessible to the agent.
[PROMPT_INJECTION]: The skill possesses a broad attack surface for indirect prompt injection from untrusted websites.
Ingestion points: Browser activity logs (scripts/watch.js), page content evaluated via scripts/eval.js, and element details from scripts/pick.js.
Boundary markers: None; web content is ingested and processed without the use of delimiters or ignore-instructions.
Capability inventory: The skill can execute shell commands (scripts/start.js), perform file writes (scripts/screenshot.js, scripts/watch.js), and run arbitrary JavaScript in the browser.
Sanitization: External web content is not sanitized or filtered before it is returned to the agent or stored locally.

web-browser