The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to navigate the live web and process external content, creating a significant attack surface for indirect prompt injection.
Ingestion points: The agent-browser open <url> and snapshot commands ingest untrusted data from arbitrary websites into the agent's context.
Boundary markers: There are no explicit instructions or delimiters defined to help the agent distinguish between its instructions and the content retrieved from the web.
Capability inventory: The skill possesses the Bash tool and the agent-browser eval command, which allows for arbitrary JavaScript execution within the browser context.
Sanitization: No sanitization or filtering of external content is mentioned, allowing malicious websites to potentially influence the agent's next steps or execute commands via the browser.
[Remote Code Execution] (HIGH): The agent-browser eval "js" command allows the agent to execute arbitrary JavaScript in the browser. While intended for automation, it can be abused to perform sensitive actions (e.g., stealing session cookies, modifying DOM elements, or triggering cross-site requests) if the agent is manipulated by untrusted page content.
[External Downloads] (LOW): The skill installs the agent-browser package and Chromium. Per [TRUST-SCOPE-RULE], this is downgraded to LOW because the source (vercel-labs) is a recognized trusted organization. However, the agent-browser install --with-deps command may require system-level privileges on Linux.
[Data Exfiltration] (MEDIUM): The state save <file> and state load <file> commands access the local file system to store and retrieve browser session data (cookies/storage). While useful for persistence, they represent a vector for credential exposure if the resulting files are not handled securely or are targeted by other malicious tools.

browser-automation