The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides an eval command that allows for the execution of arbitrary JavaScript within the browser context. This includes support for Base64-encoded scripts, which can bypass simple string-based filters and enable complex runtime code execution.\n- [DATA_EXFILTRATION]: The CLI supports the --allow-file-access flag, permitting the browser to open and read local files (e.g., file:///). When coupled with the tool's ability to perform network operations, this creates a viable path for exfiltrating sensitive local data to external domains.\n- [CREDENTIALS_UNSAFE]: The tool manages authentication by saving session states (cookies and local storage) to plaintext JSON files. While encryption is supported via an optional environment variable, the default storage mechanism exposes session tokens if the state files are accessed by unauthorized users or processes.\n- [EXTERNAL_DOWNLOADS]: The documentation provides instructions for installing the CLI via global package managers and includes a command (agent-browser install) to download the Chromium/Chrome browser engine from remote sources.\n- [PROMPT_INJECTION]: As a tool designed to process and interact with arbitrary web content, the skill is susceptible to indirect prompt injection. Malicious instructions on a website could attempt to hijack the agent's session or exfiltrate data. The author has provided a mitigation in the form of opt-in AGENT_BROWSER_CONTENT_BOUNDARIES.\n- [DATA_EXFILTRATION]: The tool includes commands to read from and write to the system clipboard, which could lead to the exposure of sensitive user data if an agent is instructed to read the clipboard after visiting a malicious site.

agent-browser