The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (LOW): Documentation in examples/advanced/usage-with-agents.md suggests using curl to download skill configuration files from the vercel-labs GitHub repository.
Evidence: curl -o .claude/skills/agent-browser/SKILL.md https://raw.githubusercontent.com/vercel-labs/agent-browser/main/skills/agent-browser/SKILL.md.
Assessment: Per [TRUST-SCOPE-RULE], this is downgraded to LOW/INFO as the source organization is in the trusted list.
[COMMAND_EXECUTION] (MEDIUM): Integration templates and examples in templates/ai-agent-workflow.md and examples/agent-mode/integration.md demonstrate using subprocess.run with shell=True and string interpolation.
Evidence: subprocess.run(f"agent-browser {command} --json", shell=True, ...).
Risk: This pattern is vulnerable to command injection if an agent populates the {command} variable with unvalidated input from a user. This is a common but unsafe pattern in CLI tool documentation.
[REMOTE_CODE_EXECUTION] (LOW): The skill documents the agent-browser eval command, which allows arbitrary JavaScript to be executed within the browser's context.
Evidence: agent-browser eval "document.title" in examples/commands/advanced-commands.md.
Risk: While a core feature, it provides a high-privilege execution surface that could be abused if the agent visits malicious websites.
[PROMPT_INJECTION] (LOW): As a browser automation skill, it is a target for Indirect Prompt Injection (Category 8).
Ingestion points: Accessibility trees and page text ingested via snapshot and get text commands (found in api/commands.md).
Boundary markers: The skill uses a structured JSON output format (--json) which helps the agent distinguish tool output from data, but does not sanitize the semantic content of the page.
Capability inventory: Full browser control (navigation, input, clicks) and JavaScript evaluation (eval).
Sanitization: No specific sanitization or filtering of external web content is described in the documentation.

agent-browser