The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill manages authentication states using JSON files. These files contain session tokens in plaintext by default (e.g., auth-state.json), which could lead to credential exposure if the files are not properly managed or if the optional AGENT_BROWSER_ENCRYPTION_KEY is not used.
[COMMAND_EXECUTION]: The agent-browser eval command allows for the execution of arbitrary JavaScript within the browser environment. This is a primary interaction method but represents a dynamic execution risk if the agent incorporates untrusted data into the script.
[DATA_EXFILTRATION]: The tool has broad access to potentially sensitive information, including the system clipboard (clipboard read), local files (via --allow-file-access), and full page content (get text body). This data could be exfiltrated if the agent is manipulated by malicious web content.
[PROMPT_INJECTION]: The skill is highly exposed to indirect prompt injection because it processes content from arbitrary websites.
Ingestion points: Commands such as snapshot, get text, and get html read data from external web pages into the agent's context (SKILL.md).
Boundary markers: The skill provides an opt-in feature (AGENT_BROWSER_CONTENT_BOUNDARIES) to wrap tool output in markers, though this is not enabled by default.
Capability inventory: The agent has significant capabilities including browser interaction (click, fill), script execution (eval), and file system access (screenshot, download, state save) across all its command modules.
Sanitization: No default sanitization or filtering of web content is applied before it is presented to the agent.
[EXTERNAL_DOWNLOADS]: The skill's setup requires installing the agent-browser CLI via external package managers (npm, brew, cargo) and includes a command (agent-browser install) to download Chromium browser binaries from remote sources.

agent-browser