The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill exposes a massive attack surface for indirect injection by processing untrusted data from external websites.
Ingestion points: navigate_page, take_snapshot, list_console_messages, and list_network_requests all bring external, attacker-controlled content into the agent's context.
Boundary markers: Absent. The instructions do not provide delimiters or guidance for the agent to distinguish between website content and legitimate instructions.
Capability inventory: High-impact capabilities include evaluate_script (JS execution), upload_file (local data egress), and fill_form (state change/credential entry).
Sanitization: None. The agent is encouraged to use raw console logs and network data for troubleshooting, which are common injection vectors.
Command Execution (HIGH): The evaluate_script tool provides the ability to execute arbitrary JavaScript in the context of the current page. If the agent is influenced by malicious site content, this tool can be used to steal cookies, bypass CSRF protections, or perform unauthorized actions on the user's behalf.
Data Exposure & Exfiltration (HIGH): The combination of list_network_requests (which can see sensitive headers and tokens) and upload_file (which can access local files) creates a high risk of sensitive data being exposed to either the agent's context or a malicious website.
Capability Abuse (MEDIUM): The upload_file tool allows the agent to select and upload local files to web forms. Without strict human-in-the-loop controls, an agent could be tricked by a website (via Category 8) into uploading sensitive local configuration files or SSH keys.

chrome-devtools