The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/cdp.mjs script uses child_process.spawn to launch background daemon processes for each browser tab session to maintain persistent CDP connections.\n- [COMMAND_EXECUTION]: The skill implements an eval command that allows the agent to execute arbitrary JavaScript code within an active browser tab using the Runtime.evaluate method of the Chrome DevTools Protocol.\n- [COMMAND_EXECUTION]: Through the evalraw command, the skill allows sending raw CDP commands, which grants total control over the browser session's behavior and settings.\n- [DATA_EXFILTRATION]: The skill can capture screenshots (shot), retrieve full page HTML (html), and access accessibility tree snapshots (snap), potentially exposing sensitive information displayed in the user's browser sessions.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external websites that could contain malicious instructions for the agent.\n
Ingestion points: External data enters the agent context via Accessibility.getFullAXTree, Runtime.evaluate, and Page.captureScreenshot in scripts/cdp.mjs.\n
Boundary markers: The skill does not use delimiters or explicit warnings to separate web content from agent instructions.\n
Capability inventory: The skill has the capability to write local files (writeFileSync for screenshots and cache), execute internal processes (spawn), and perform network operations through the controlled browser.\n
Sanitization: The nav command restricts URLs to http/https protocols, but the content retrieved from these URLs is not sanitized or filtered for instructions before being processed.

chrome-cdp