The Agent Skills Directory

[COMMAND_EXECUTION]: The skill scripts use Node.js child_process methods (spawn, spawnSync, execFileSync) to run local CLI tools such as browse and bb. These tools are used to capture browser data and manage sessions. Command arguments are handled without using a shell, which mitigates standard command injection risks.- [EXTERNAL_DOWNLOADS]: The documentation provides instructions for installing the @browserbasehq/browse-cli and @browserbasehq/cli packages from the official NPM registry. These are official tools required for the skill's primary functionality.- [CREDENTIALS_UNSAFE]: The skill uses the BROWSERBASE_API_KEY environment variable to authenticate with the Browserbase platform. This is a standard and recommended practice for secret management in developer tools.- [PROMPT_INJECTION]: The skill exhibits an inherent surface for indirect prompt injection (Category 8) because it captures raw data from arbitrary websites.
Ingestion points: Raw HTML and browser event logs are captured by snapshot-loop.mjs and start-capture.mjs into the .o11y/ directory.
Boundary markers: The captured data is bisected into structured JSON and JSONL files, providing separation between different types of events, though the content itself is untrusted.
Capability inventory: The skill facilitates file system writes and the execution of browser-specific CLI tools.
Sanitization: As a raw tracing tool, it does not perform sanitization on the captured browser content.

browser-trace