The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill exhibits vulnerability to indirect prompt injection (Category 8) because it is designed to ingest and process data from arbitrary external websites. An attacker could embed malicious instructions within a web page's text or metadata to manipulate the agent's behavior during a session.
Ingestion points: agent-browser open, agent-browser get text, and agent-browser snapshot in templates/capture-workflow.sh and templates/form-automation.sh.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands were found in the templates.
Capability inventory: The skill possesses high-privilege capabilities including form submission (click, fill), navigation, and session state persistence (state save/load).
Sanitization: No sanitization or validation of the extracted web content is performed before it is potentially passed back to the agent.
COMMAND_EXECUTION (SAFE): The skill uses shell scripts to automate the agent-browser CLI. The command execution is restricted to the intended automation tasks and does not involve the execution of arbitrary strings from untrusted sources in a shell context.
CREDENTIALS_UNSAFE (SAFE): Although the documentation files contain example credentials (e.g., 'password123'), these are clearly used as placeholders. The technical templates correctly implement environment variable lookups for sensitive information.

agent-browser