The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides explicit shell and PowerShell commands to launch Google Chrome or Chromium with remote debugging enabled (--remote-debugging-port=9222) and relaxed origin policies (--remote-allow-origins=*). This configuration reduces the browser's built-in security to facilitate automation.
[REMOTE_CODE_EXECUTION]: The command agent-browser eval <javascript> and agent-browser wait --fn "condition" allow for the execution of arbitrary JavaScript within the browser context. This capability can be exploited if the agent interpolates untrusted input into these commands.
[DATA_EXFILTRATION]: Several commands allow the extraction of sensitive information, including agent-browser cookies, agent-browser storage local, and agent-browser snapshot. The skill also supports saving and loading full authentication states to the local filesystem using agent-browser state save <path>.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted content from web pages via snapshot, get text, and get html. This external data enters the agent's context and could contain malicious instructions that manipulate the agent's subsequent actions.
Ingestion points: SKILL.md (via get text, get html, snapshot commands)
Boundary markers: Absent; no explicit delimiters or warnings to ignore instructions within web content are provided in the skill instructions.
Capability inventory: SKILL.md (arbitrary JS execution via eval, file writes via state save and screenshot, network interaction via browser navigation and set headers)
Sanitization: Absent; the skill does not specify any methods for filtering or escaping the data retrieved from web pages before processing.

browser