The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on a wide array of shell-based commands to control a browser daemon, including simulating user input (clicking, typing, scrolling) and managing session states.
[REMOTE_CODE_EXECUTION]: The eval command allows for the execution of arbitrary JavaScript in the browser context. The skill documentation explicitly recommends using Base64-encoded input (-b / --base64) or STDIN to bypass shell escaping, which effectively allows for the execution of obfuscated code.
[DATA_EXFILTRATION]: The skill supports the file:// protocol via the --allow-file-access flag, enabling the browser to read local system files. When combined with extraction commands like get text, this functionality can be used to harvest sensitive local data.
[DATA_EXFILTRATION]: The state save command allows persistent storage of browser session data, including cookies and local storage, to JSON files. While intended for session reuse, these files contain sensitive authentication tokens that could be targeted for exfiltration if stored in insecure locations.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection due to its core function of processing untrusted web data.
Ingestion points: External content is brought into the agent's context through snapshot, get text, get url, and get title (found in SKILL.md and references/commands.md).
Boundary markers: There are no documented delimiters or instructions to help the agent distinguish between skill commands and potentially malicious instructions embedded in the target web pages.
Capability inventory: The agent possesses high-impact capabilities including arbitrary code execution (eval), form submission (fill, click), and credential management (state save).
Sanitization: No sanitization or validation logic is present to filter content retrieved from remote URLs before it is returned to the agent.

agent-browser