The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests data from external, untrusted URLs via agent-browser and processes it using Bash without any sanitization or boundary markers. This allows an attacker-controlled website to potentially influence or hijack the agent's behavior through instructions embedded in the page content.
[COMMAND_EXECUTION] (MEDIUM): The skill uses agent-browser eval to execute arbitrary JavaScript on external pages and processes the output in Bash scripts. While the scripts include basic sanitization for file paths, the overall reliance on shell processing for untrusted web data presents an exploitable attack surface.
[CREDENTIALS_UNSAFE] (MEDIUM): The skill saves full browser session states (including cookies and storage tokens) to /tmp/auth-state.json. Storing sensitive authentication tokens in a shared temporary directory is a security risk, even with the restrictive file permissions (chmod 600) applied in the scripts.
[EXTERNAL_DOWNLOADS] (LOW): The skill performs external data fetching using curl and agent-browser. The risk is downgraded because the primary tool dependency is sourced from a trusted repository (vercel-labs/agent-browser).

browser-content-capture