The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The uploadFile(selector, path) method allows the agent to select local files and upload them to a website.
Evidence: An attacker could use indirect prompt injection on a web page to trick the agent into uploading sensitive files (e.g., ~/.aws/credentials or ~/.ssh/id_rsa) to a malicious server.
Dynamic Execution (HIGH): The evaluate(script) function allows the execution of arbitrary JavaScript within the browser context.
Evidence: If the agent is instructed by a malicious webpage or a complex prompt to execute a specific script, it could be used to bypass client-side security, steal session cookies, or perform actions on behalf of the user in other open tabs.
Command Execution (MEDIUM): The primary interface for this skill relies on executing local TypeScript files via the Bun runtime.
Evidence: Commands like bun run $PAI_DIR/skills/Browser/Tools/Browse.ts depend on the integrity of the $PAI_DIR environment variable and the local script files.
Indirect Prompt Injection (LOW): The skill is highly vulnerable to instructions embedded in web content.
Ingestion points: navigate(url), verify(url, selector), and open(url) ingest untrusted data from the open web.
Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between the developer's instructions and the content of the website being browsed.
Capability inventory: The skill has extensive capabilities including uploadFile, evaluate (JS execution), click, and fill, allowing for full interaction with web applications.
Sanitization: Absent. There is no evidence of URL filtering or content sanitization to prevent the agent from accessing internal network resources (SSRF) or following malicious instructions found on a page.

Browser