The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted external data from web pages, creating a major attack surface for indirect prompt injection.
Ingestion points: Commands like snapshot, get text, get html, and console read content directly from external websites into the agent's context.
Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the skill definition.
Capability inventory: The skill includes high-privilege commands such as eval (arbitrary JS execution), cookies (session data access), upload (file handling), and network route (traffic manipulation).
Sanitization: No evidence of sanitization or filtering of the ingested web content is provided.
[Dynamic Execution] (HIGH): The agent-browser eval command allows the agent to execute arbitrary JavaScript code within the browser context. An attacker-controlled website could provide malicious instructions that the agent then executes via eval to steal data or perform unauthorized actions.
[Data Exposure & Exfiltration] (HIGH): Several commands provide direct access to sensitive information.
agent-browser cookies and agent-browser storage local can be used to extract session tokens and authentication data.
agent-browser network requests and set headers can expose or inject sensitive authorization headers.
agent-browser screenshot and pdf can capture sensitive visual information from private pages.
[Privilege Escalation] (MEDIUM): While not OS-level, the set credentials and cookies set commands allow for session hijacking or masquerading as the user on various web platforms.

agent-browser