The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's primary purpose is to ingest and process untrusted data from arbitrary URLs.
Ingestion Points: cfbr.sh fetches content from external websites via Cloudflare's Rendering API.
Boundary Markers: Absent. There are no delimiters or instructions to ignore embedded commands in the fetched content.
Capability Inventory: The skill can execute shell commands via cfbr.sh, make external network requests, and has an AI extraction endpoint (/json) that interprets natural language.
Sanitization: Absent. Content is passed directly to the agent or the AI extraction model.
Command Execution / Arbitrary File Write (HIGH): The cfbr.sh script accepts a third argument for the screenshot filename which is passed directly to the curl --output flag.
Evidence: In scripts/cfbr.sh, the variable outfile="${3:-screenshot.png}" is used in curl ... --output "$outfile".
Risk: An attacker-controlled website could trick the agent (via indirect injection) into calling the screenshot command with a sensitive path like ~/.bashrc or ~/.ssh/authorized_keys, leading to file corruption or unauthorized access.
Credentials Unsafe (MEDIUM): The references/api.md file contains examples showing the use of hardcoded API key patterns (sk-...) for the custom_ai parameter.
Risk: This encourages the agent to pass sensitive third-party credentials (like OpenAI keys) in plaintext payloads to the Cloudflare API, increasing the risk of credential exposure in logs or to intermediate services.
Dynamic Execution (MEDIUM): The API supports the addScriptTag parameter, which allows the execution of arbitrary JavaScript within the headless browser.
Risk: While a feature of the API, it provides a vector for the agent to be manipulated into executing malicious scripts in the context of the rendered page, potentially for data exfiltration or bypassing local security controls.

cf-browser