The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill retrieves sensitive authentication tokens (__Secure-1PSID, __Secure-1PSIDTS) from the browser and stores them in a plaintext JSON file (cookies.json) in the user's data directory, exposing them to any process with read access to that directory.- [DATA_EXFILTRATION]: The skill uses the Chrome DevTools Protocol (CDP) to automatically extract private session cookies from the user's browser profiles. This behavior programmatically bypasses standard browser security boundaries to retrieve authentication data.- [COMMAND_EXECUTION]:- Process Monitoring: The script scripts/vendor/baoyu-chrome-cdp/src/index.ts executes ps aux to scan the system's process list and locate active browser instances.- Environment Resolution: The script scripts/gemini-webapi/utils/paths.ts executes cmd.exe /C "echo %USERPROFILE%" and wslpath to identify user directories in WSL and Windows environments.- Process Spawning: The code programmatically spawns browser processes (Google Chrome, Microsoft Edge) with debugging flags enabled (--remote-debugging-port) to allow external control and data extraction.- [PROMPT_INJECTION]: The skill ingests untrusted user input and file content to generate prompts for the Gemini API without implementing boundary markers or sanitization, creating a surface for indirect prompt injection.1. Ingestion points: scripts/main.ts accepts prompts via CLI arguments, concatenated files, and standard input.2. Boundary markers: None are applied to the user-provided prompt content.3. Capability inventory: The skill can perform network requests to Google services and write session data/images to the local file system.4. Sanitization: No sanitization or escaping of prompt content is performed before transmission to the API.

baoyu-danger-gemini-web