The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external data from websites via agent-browser open, snapshot, and get text commands. This creates a significant attack surface where a malicious website can embed instructions to hijack the agent's behavior.
Ingestion points: Website content accessed via agent-browser open and extracted via snapshot or get text.
Boundary markers: None. The instructions do not provide delimiters or 'ignore' warnings for the agent when processing page content.
Capability inventory: The agent can write files (state save, screenshot, pdf), access the network (open <url>), and read local host files (--allow-file-access).
Sanitization: No evidence of sanitization or filtering of external content before it is returned to the agent context.
Data Exfiltration & Exposure (HIGH): The skill explicitly supports accessing sensitive local data.
Local File Access: The --allow-file-access flag allows the agent to read arbitrary files (e.g., file:///etc/passwd or ~/.ssh/id_rsa) if the agent is successfully injected.
Credential Exposure: The state save auth.json command exports session cookies and tokens to a local file. An injected agent could be directed to read this file and exfiltrate its contents via a form submission or URL parameter on a malicious site.
External Downloads (MEDIUM): The skill documentation requires manual installation of external dependencies (appium and xcuitest driver) via npm. While these are standard tools, they represent an external dependency chain that must be verified by the user.
Command Execution (LOW): The skill is granted Bash(agent-browser:*) permissions. While restricted to a specific binary, the binary itself provides broad system-level interaction capabilities (file reading/writing, network access, mobile simulation).

agent-browser