The Agent Skills Directory

[Privilege Escalation] (HIGH): The scripts/install-deps.sh script requires and utilizes sudo (root privileges) to install system-level dependencies for Chromium on Linux/WSL. While this is standard for Puppeteer environments, it represents a high-privilege operation.
[Dynamic Execution] (MEDIUM): The scripts/evaluate.js script provides a wrapper for page.evaluate(), which directly executes strings via eval() inside the browser context. This is the primary purpose of the script but creates a high-risk primitive if the input is influenced by untrusted external data.
[Data Exposure & Exfiltration] (MEDIUM): Several scripts (screenshot.js, network.js, performance.js) accept an --output argument that specifies a file path for writing data. There is no path validation or sandboxing, allowing the agent to potentially write files to any location accessible by the user session.
[Indirect Prompt Injection] (LOW): This skill is highly susceptible to indirect prompt injection because it is designed to ingest and process untrusted data from the web (DOM snapshots, console logs, network traffic).
Ingestion points: snapshot.js (DOM content), console.js (logs), network.js (traffic), evaluate.js (script results).
Boundary markers: None. Data is returned as raw JSON to the agent.
Capability inventory: File writing (screenshot.js), form interaction (fill.js), and arbitrary script execution in-browser (evaluate.js).
Sanitization: scripts/lib/selector.js implements basic XPath injection prevention patterns to block common JavaScript triggers in selectors.
[External Downloads] (LOW): The scripts/install.sh and package.json trigger the download of the Chromium binary from Google's servers during the npm install phase.

chrome-devtools