The Agent Skills Directory

[DATA_EXFILTRATION]: The interact function supports an upload action that accepts an array of local file paths (file_paths). This capability allows the agent to read local files and upload them to any remote website, creating a path for data exfiltration if the agent is compromised or misled.
[REMOTE_CODE_EXECUTION]: The execute function enables the execution of arbitrary JavaScript code within the browser session. This provides a powerful execution primitive that can be used to bypass security controls, access sensitive session data (like cookies), or perform actions on behalf of the user in a way that is difficult to audit.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it is designed to ingest and process content from untrusted external web pages.
Ingestion points: Untrusted data enters the agent context through the open, snapshot, and execute functions (e.g., scraping innerText or elements_text).
Boundary markers: There are no explicit boundary markers or instructions provided to the agent to treat webpage content as untrusted or to ignore embedded instructions.
Capability inventory: The skill has high-impact capabilities including execute (arbitrary JS), upload (file access), and interact (form filling and clicking).
Sanitization: Content retrieved from the web (HTML, text, attributes) is returned to the agent without sanitization or filtering.

agent-browser