The Agent Skills Directory

[DATA_EXFILTRATION]: The browse cookie-import command enables the extraction of sensitive session cookies and authentication data from the local user's primary browsers (Chrome, Arc, Brave, and Edge), exposing high-value credentials to the agent's context.
[CREDENTIALS_UNSAFE]: The skill implements a local "auth vault" and API key storage (browse auth save, browse provider save) that encourages storing passwords and secrets within the tool's managed environment, increasing the risk of credential exposure.
[COMMAND_EXECUTION]: Provides the ability to execute arbitrary JavaScript within a browser context via browse js and browse eval. Additionally, "enable" commands perform system-level operations, such as building platform runners and configuring the host environment for mobile emulation.
[EXTERNAL_DOWNLOADS]: The browse enable commands automate the retrieval and installation of official developer toolchains and SDKs (including Android ADB, JDK, and emulator components) from remote repositories.
[PROMPT_INJECTION]: As a tool designed to process content from arbitrary web pages, the skill is susceptible to indirect prompt injection. Maliciously crafted web content could attempt to influence the agent to perform unauthorized actions using the CLI's extensive data access and automation features.
Ingestion points: Web page text, HTML, and accessibility snapshots (e.g., browse text, browse snapshot) entering the context via SKILL.md.
Boundary markers: Includes a --content-boundaries flag to wrap page content in markers, though these do not fully eliminate the risk of adversarial injection.
Capability inventory: Subprocess calls (via Bash tool), arbitrary JavaScript execution (browse js), file downloads, and system toolchain management across all referenced guides.
Sanitization: Relies on the --content-boundaries flag and domain restriction (--allowed-domains) for mitigation, but provides high-privilege commands that can be targeted by successful injections.

browse