The Agent Skills Directory

[Prompt Injection] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from external websites and grants the agent significant browser control capabilities.
Ingestion points: External web content loaded via agent-browser open and analyzed via snapshot.
Boundary markers: None present to distinguish between tool instructions and untrusted web content.
Capability inventory: Full browser interaction (click, fill, type), session management (state save/load), and data extraction (get text, screenshot).
Sanitization: No sanitization or filtering of the DOM/Accessibility tree is defined.
[Data Exfiltration] (LOW): The state save and state load commands allow the agent to read and write authentication session data (cookies, storage) to local files (e.g., auth.json). If the agent is compromised by a malicious prompt, this sensitive data could be targeted for exfiltration.
[Command Execution] (SAFE): The skill defines a command-line interface for the agent-browser tool. While it involves executing system commands, this behavior is restricted to the documented toolset and is standard for this skill's primary purpose.

agent-browser