The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill includes an eval command that allows the execution of arbitrary JavaScript within the browser context. It explicitly supports a -b flag for Base64-encoded strings, which functions as an obfuscation primitive to hide the intent of executed scripts.
[DATA_EXFILTRATION] (HIGH): The skill features an --allow-file-access flag that permits the browser to read local files via file:// URLs. An attacker-controlled website could potentially use this in conjunction with the agent's interaction capabilities to read sensitive system files and exfiltrate them.
[COMMAND_EXECUTION] (MEDIUM): The documentation references external shell scripts located in a templates/ directory (e.g., form-automation.sh). These external dependencies are not defined within the skill itself and represent unverifiable code execution.
[CREDENTIALS_UNSAFE] (MEDIUM): The state save and session persistence features store sensitive authentication data, including cookies and localStorage, to the local file system (~/.agent-browser/sessions/). This creates a persistence mechanism for sensitive credentials that could be targeted by other malicious processes.
[PROMPT_INJECTION] (LOW): The skill is highly vulnerable to indirect prompt injection because it is designed to ingest and process unstructured data from arbitrary external websites via snapshot and get text. Evidence: 1. Ingestion points: get text, snapshot, get title. 2. Boundary markers: Absent. 3. Capability inventory: JavaScript execution, file system access, network navigation, form interaction. 4. Sanitization: Absent.

agent-browser