The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's primary workflow involves the agent generating and executing arbitrary TypeScript code blocks using npx tsx via heredocs, as seen in SKILL.md. This grants the agent direct execution capabilities on the host system.\n- [COMMAND_EXECUTION]: The scripts/start-server.ts file uses execSync to run shell commands for finding and killing processes on specific ports (lsof and kill -9).\n- [COMMAND_EXECUTION]: The internal ARIA snapshot script is injected into the browser context using eval() within a page.evaluate() call in src/client.ts.\n- [EXTERNAL_DOWNLOADS]: The scripts/start-server.ts file automatically downloads Chromium browser binaries using playwright install if they are not detected locally.\n- [EXTERNAL_DOWNLOADS]: The SKILL.md file directs users to download a browser extension from a third-party GitHub repository (github.com/SawyerHood/dev-browser/releases).\n- [DATA_EXFILTRATION]: The references/scraping.md file provides detailed patterns and code examples for intercepting network requests to capture authentication headers and cookies for replaying API calls externally.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted text and structure from web pages via the getAISnapshot function. This content is then used to guide the agent's next actions.\n
Ingestion points: The getAISnapshot() method in src/client.ts extracts the DOM accessibility tree.\n
Boundary markers: No delimiters or specific instructions are used to prevent the agent from obeying commands embedded within the web content.\n
Capability inventory: The skill can execute shell commands (npx tsx), write files (page.screenshot), and perform network requests (page.goto).\n
Sanitization: There is no sanitization of the extracted accessibility tree before it is presented to the agent's context.

dev-browser