The Agent Skills Directory

[DYNAMIC_EXECUTION]: The skill provides an eval command that allows for arbitrary JavaScript execution within the browser context. Documentation specifically encourages using Base64 encoding (-b flag) to bypass shell escaping, which can also be used to obfuscate the intent of executed scripts.
[COMMAND_EXECUTION]: The tool includes a --allow-file-access flag, which grants the browser permission to read local files via file:// URLs. If misconfigured or exploited, this could allow an attacker to read sensitive local documents.
[DATA_EXFILTRATION]: The state save and state load commands enable exporting and importing full browser session data, including cookies and localStorage, to local files (e.g., auth-state.json). While documentation warns against committing these files, they represent a significant risk for local credential exposure if not handled with strict permissions.
[PROMPT_INJECTION]: The skill's primary purpose is to ingest and process data from arbitrary external websites, making it a target for indirect prompt injection.
Ingestion points: Untrusted data enters the agent context via agent-browser open, agent-browser snapshot, and agent-browser get text commands.
Boundary markers: There are no explicit instructions or delimiters provided in the skill to prevent the agent from obeying instructions embedded in the web content it retrieves.
Capability inventory: The skill has the ability to write to the filesystem (state save, screenshot, pdf, record stop) and perform network operations via the browser.
Sanitization: There is no evidence of content sanitization or safety filtering for the data extracted from web pages.
[EXTERNAL_DOWNLOADS]: The skill instructions include the installation of the agent-browser package from the global NPM registry and the appium driver for mobile automation.

agent-browser