The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted external data by navigating to arbitrary URLs and taking snapshots of page content. This data is then processed by the agent to make decisions and perform actions like clicking, typing, or uploading files. A malicious website could embed hidden instructions to hijack the agent's behavior.
Ingestion points: agent-browser open <url>, agent-browser snapshot.
Boundary markers: None specified in the instructions for the agent to distinguish between tool instructions and website content.
Capability inventory: click, type, fill, eval <js>, upload <sel> <files>, and file-writing via screenshot and pdf.
Sanitization: No evidence of sanitization for website content before processing.
[Data Exposure] (HIGH): The skill explicitly facilitates connection to real Chrome user profiles via --cdp and --session flags. These profiles contain highly sensitive information including session cookies, saved passwords, and browsing history. An agent could be manipulated into exfiltrating this data via agent-browser cookies or agent-browser storage local.
[Command Execution] (HIGH): The agent-browser eval <js> command allows for the execution of arbitrary JavaScript within the browser context. This provides a direct execution vector if the agent is influenced by malicious instructions found on a web page.
[Data Exposure] (MEDIUM): The documentation contains a hardcoded local file path to a specific user's Chrome configuration (/home/willr/.config/google-chrome/Default). While intended as an example, it discloses valid system paths and user names.
[External Downloads] (LOW): The skill requires downloading external packages via npm install and git clone. Per [TRUST-SCOPE-RULE], these findings are downgraded to LOW/INFO as they target the trusted GitHub organization vercel-labs.

Agent Browser