The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): High susceptibility to Indirect Prompt Injection through untrusted web content.
Ingestion points: The skill frequently ingests external data from attacker-controlled web pages via agent-browser open in capture-workflow.sh, form-automation.sh, and authenticated-session.sh.
Boundary markers: There are no explicit delimiters or system instructions to the agent to ignore instructions embedded within the browser snapshots or page text.
Capability inventory: The agent has high-privilege capabilities including session state manipulation (state save/load), form submission, and potentially network navigation based on content found on pages.
Sanitization: No sanitization or filtering of the browser's DOM or snapshot output is performed before it is presented to the agent.
[DATA_EXFILTRATION] (HIGH): Risk of sensitive session token exposure and exfiltration.
Evidence: The workflow in templates/authenticated-session.sh and references/authentication.md revolves around saving browser cookies and local storage to auth-state.json. If an agent is compromised via indirect injection while an authenticated session is active, the attacker could command the agent to read and exfiltrate this file or use the active session to perform actions on the user's behalf.
[CREDENTIALS_UNSAFE] (MEDIUM): Encourages hardcoding of credentials in documentation.
Evidence: references/proxy-support.md provides examples of hardcoding usernames and passwords directly into proxy environment variables (e.g., export HTTP_PROXY="http://username:password@..."), which is a poor security practice as it may lead to credentials being leaked in process lists or shell history.

agent-browser