The Agent Skills Directory

[DATA_EXFILTRATION]: The browser-cookies.js script allows the agent to extract all cookies from the active browser tab, including those with httpOnly and secure flags. This capability could be abused to hijack user sessions if the agent is manipulated by an attacker.
[DATA_EXFILTRATION]: The browser-start.js script includes a --profile feature that clones the user's primary Chrome profile—containing logins, cookies, and history—from ~/Library/Application Support/Google/Chrome/ to a local cache directory. This creates an unencrypted copy of sensitive user data.
[COMMAND_EXECUTION]: Several scripts execute system commands and manage local processes. Specifically, browser-start.js uses execSync to run rsync for profile copying and rm for clearing system locks, and uses spawn to launch the Google Chrome executable.
[COMMAND_EXECUTION]: The browser-eval.js script uses the new AsyncFunction constructor to execute arbitrary JavaScript code strings within the browser context. This is a form of dynamic execution that can be exploited if the input string is controlled by an untrusted source.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its core function of browsing and extracting web content.
Ingestion points: browser-content.js, browser-eval.js, and browser-hn-scraper.js pull raw data from external websites into the agent's context.
Boundary markers: There are no markers or instructions used to prevent the agent from following commands embedded in the scraped HTML or markdown.
Capability inventory: The agent has high-privilege tools available including cookie extraction, JavaScript evaluation, and navigation.
Sanitization: No sanitization or filtering is performed on the data retrieved from external URLs before it is processed or presented to the agent.

browser-tools