The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external websites, creating a significant attack surface.
Ingestion points: vibium navigate <url>, vibium text, vibium html, and vibium screenshot allow the agent to pull arbitrary external content into its context.
Boundary markers: None. The skill does not provide delimiters or instructions to treat the scraped content as untrusted data.
Capability inventory: The agent has the ability to interact with the environment through vibium click, vibium type, and vibium select, and can execute arbitrary JavaScript via vibium eval.
Sanitization: None provided. Malicious instructions hidden in a webpage (e.g., in HTML comments or invisible text) could be followed by the agent, leading to data exfiltration or unauthorized actions in other tabs or sessions.
Dynamic Execution (HIGH): The vibium eval "<js>" command allows for the execution of arbitrary JavaScript within the browser session.
Evidence: The documentation explicitly suggests using eval as an "escape hatch for complex DOM queries."
Risk: If an attacker influences the agent to generate or execute specific JS via Indirect Prompt Injection, they could steal session cookies, capture form data, or perform actions on behalf of the user.
Command Execution (LOW): The skill requires the agent to resolve and execute a local CLI binary (vibium).
Evidence: The 'Binary Resolution' section instructs the agent to search for and execute the vibium binary in multiple locations, including ./clicker/bin/vibium.
Risk: While standard for CLI-based skills, this grants the agent the ability to spawn subprocesses.

vibe-check