The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill utilizes 'agent-browser skills get' to dynamically fetch command syntax and interaction templates from the vendor's remote service at runtime. This allows the tool's behavior and available actions to be updated externally without modifying the skill files themselves.
[COMMAND_EXECUTION]: The skill provides an 'eval' command that enables the execution of arbitrary JavaScript within the browser context. This includes support for base64-encoded strings, which can be used to obfuscate scripts from simple text-based analysis.
[CREDENTIALS_UNSAFE]: The 'state save' functionality is designed to persist session cookies and authentication tokens to local JSON files. Documentation indicates that these files store tokens in plaintext, which could lead to credential exposure if the files are not properly managed or deleted after use.
[COMMAND_EXECUTION]: The documentation encourages the use of the browser's remote debugging port (--remote-debugging-port=9222). Enabling this port exposes full control over the browser session to any other process running on the local machine.
[PROMPT_INJECTION]: As a tool designed to ingest and interact with untrusted web content, the skill presents a significant surface for indirect prompt injection. 1. Ingestion points: 'agent-browser snapshot' and 'get text' are used across all templates to read page content. 2. Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore instructions embedded in the scraped content. 3. Capability inventory: The skill possesses high-privilege capabilities including shell command execution via Bash, arbitrary file writes (screenshots, state files), and network requests. 4. Sanitization: There is no evidence of filtering or sanitization of the extracted web content before it is processed by the agent.

agent-browser