The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute the browser-devtools-cli command-line tool, which allows the agent to interact with the local operating system and manage browser sessions and temporary files.\n- [REMOTE_CODE_EXECUTION]: The tools run js-in-browser and run js-in-sandbox allow for the execution of arbitrary JavaScript. Although js-in-sandbox executes within a Node.js VM, the ability to run arbitrary code remains a significant capability that could be abused if directed toward malicious scripts.\n- [DATA_EXFILTRATION]: The skill has the ability to extract large amounts of data from browser sessions, including page HTML, text, console logs, and full HTTP request and response headers/bodies. This represents a risk of exposing sensitive session data or PII if the agent navigates to untrusted locations.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection attacks because it fetches and processes content from external websites. (1) Ingestion points: Data is ingested through navigation go-to, a11y take-aria-snapshot, and content get-as-text. (2) Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when processing external content. (3) Capability inventory: The skill can execute arbitrary JavaScript, fill forms, and mock network responses. (4) Sanitization: While get-as-html can remove scripts, other extraction tools provide raw content from external sources.\n- [CREDENTIALS_UNSAFE]: The skill references the use of the FIGMA_ACCESS_TOKEN environment variable for design comparison features. While no secrets are hardcoded, this sensitive credential in the environment could be a target for exfiltration through the tool's code execution capabilities.

browser-devtools-cli