The Agent Skills Directory

[COMMAND_EXECUTION]: The skill includes an eval command that allows the execution of arbitrary JavaScript within the browser instance. This capability can be used to bypass client-side security, interact with internal page data, or perform unauthorized actions on behalf of the user.
[DATA_EXFILTRATION]: The skill supports opening local files via the file:// protocol when the --allow-file-access flag is enabled. This provides a vector for an agent to read sensitive local configuration files, documents, or SSH keys and potentially extract them through the browser.
[PROMPT_INJECTION]: As a tool designed to process and summarize content from the open web, the skill is vulnerable to indirect prompt injection. Malicious instructions hidden on a webpage (e.g., in HTML comments or zero-width characters) could be ingested by the agent and used to hijack its behavior. Evidence: Ingestion points include snapshot and get text commands; capability inventory includes file writes and network access (SKILL.md).
[CREDENTIALS_UNSAFE]: The documentation and templates (e.g., templates/authenticated-session.sh) suggest handling authentication by passing credentials via environment variables or CLI arguments. This can lead to sensitive information being leaked in shell histories or system process logs.
[EXTERNAL_DOWNLOADS]: The skill workflow frequently utilizes npx to run the agent-browser package directly from the NPM registry. While NPM is a well-known service, this involves the dynamic download and execution of code at runtime.

agent-browser