The Agent Skills Directory

[COMMAND_EXECUTION]: The tool provides an eval command which allows the execution of arbitrary JavaScript code within the browser context. This includes support for Base64-encoded strings to bypass shell escaping, which can also be used to obfuscate malicious scripts.
[COMMAND_EXECUTION]: Local file system access is possible using the file:// protocol when the --allow-file-access flag is enabled. This allows the agent to read local files and potentially expose sensitive information.
[EXTERNAL_DOWNLOADS]: The skill is designed to be installed and run via npx agent-browser:*, which fetches code from the NPM registry. This is a standard distribution method for the vendor 'Workleap'.
[DATA_EXFILTRATION]: Features like state save and state load allow the agent to write and read session data (including cookies and authentication tokens) to local files. If misused, this could lead to the exposure of sensitive session information.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from external websites via snapshots and text extraction. A malicious website could include instructions designed to exploit the tool's capabilities (like eval or file access) to perform unauthorized actions or exfiltrate data.
Ingestion points: Data enters the agent context through agent-browser snapshot and agent-browser get text (e.g., in SKILL.md and templates/capture-workflow.sh).
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are provided when processing web content.
Capability inventory: The tool supports arbitrary JavaScript execution (eval), local file reading (open file://), session state writing (state save), and general network requests (open <url>).
Sanitization: There is no evidence of sanitization or filtering applied to the content extracted from web pages before it is processed by the agent.

agent-browser