The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The agent-browser eval command allows executing arbitrary JavaScript code within the browser context via Base64-encoded strings or standard input. This enables the agent to perform complex runtime operations that could be exploited if the input scripts are derived from untrusted data sources.
[DATA_EXFILTRATION]: The skill supports the --allow-file-access flag and the file:// protocol, which grants the agent the ability to open and read local files from the host machine. If an agent is manipulated into accessing sensitive system paths (e.g., SSH keys or configuration files), this content could then be extracted through screenshots or text-scraping commands.
[CREDENTIALS_UNSAFE]: The state save functionality exports session cookies, local storage, and authentication tokens into local JSON files. Although the documentation warns against committing these files to public repositories, their presence on the local file system constitutes a persistent risk of credential theft if the environment is compromised.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it processes content from external, untrusted websites. Malicious instructions hidden in web pages could be interpreted by the agent as legitimate commands.
Ingestion points: Content retrieved from websites using open, snapshot, and get text commands.
Boundary markers: The tool provides no native mechanism to wrap or delimit external content to prevent the agent from confusing UI text with instructions.
Capability inventory: Full browser control, including navigation, interaction, JS execution (eval), and file system writes (screenshots, PDFs, state files).
Sanitization: No internal validation or sanitization is performed on the data fetched from the web before it is passed to the agent context.

agent-browser