The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): This skill is highly susceptible to indirect prompt injection because it is designed to ingest and process untrusted data from external websites. An attacker-controlled web page could include hidden instructions (e.g., in invisible HTML elements or ARIA labels) that the agent might interpret as commands. Given the skill's capabilities, an injection could lead the agent to fill sensitive data into attacker-controlled forms or exfiltrate session data saved via the state save command.
Ingestion points: agent-browser open <url> and agent-browser snapshot ingest raw DOM/Accessibility tree data.
Boundary markers: None. There are no instructions provided to the agent to distinguish between the skill's commands and content found on the webpage.
Capability inventory: Includes file-writing (state save, screenshot), network communication (open, fill + click for form submission), and UI interaction.
Sanitization: None. The skill returns raw text and element descriptions from the web page directly to the agent's context.
[Unverifiable Dependencies] (MEDIUM): The skill requires the installation of agent-browser via npm and a subsequent binary installation step (agent-browser install). This package does not originate from a designated trusted source, representing a supply chain risk where the installation script or the browser binaries themselves could be malicious.
[Credential Exposure] (MEDIUM): The agent-browser state save auth.json command allows the agent to export sensitive authentication tokens, cookies, and session data to a local file. While this is a functional feature, it creates a high-value target for exfiltration if the agent is later compromised via prompt injection or if it is tricked into uploading this file to an untrusted destination.

agent-browser