The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The integration examples in examples/agent-mode/integration.md and templates/ai-agent-workflow.md recommend using subprocess.run(shell=True) (Python) and exec() (Node.js) to call the CLI tool.
Evidence: The Python template uses subprocess.run(f"agent-browser {command} --json", shell=True). If an AI agent populates the {command} variable with data derived from an untrusted source (like a malicious website), it could lead to arbitrary command execution on the host machine.
[Indirect Prompt Injection] (LOW): The core purpose of the skill is to allow an agent to read and interact with arbitrary web content.
Ingestion points: agent-browser snapshot in api/commands.md and various examples.
Boundary markers: The skill encourages using --json for structured output, which provides a data boundary but does not sanitize the content within the JSON fields.
Capability inventory: The skill allows the agent to click, fill, and eval (JavaScript) within the browser, and provides templates for host-side execution.
Sanitization: No sanitization logic is provided in the templates to filter or escape instructions embedded in the web content processed by the agent.
[Privilege Escalation] (LOW): Installation instructions in examples/getting-started/installation.md include sudo apt-get install for Linux system dependencies. This is standard for browser automation tools like Playwright but involves elevated privileges.
[Dynamic Execution] (MEDIUM): The agent-browser eval command (documented in api/commands.md) allows for the execution of arbitrary JavaScript within the browser context. While intended for automation, it presents a risk if the script content is influenced by untrusted external data.

agent-browser