The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides a CLI (agent-browser) that can execute a wide range of browser interactions, including navigation, form filling, and UI manipulation.
[REMOTE_CODE_EXECUTION]: The eval command (and its variants --base64 and --stdin) allows for the execution of arbitrary JavaScript within the browser context. This provides a direct path for running non-static code that can interact with page internals or the browser environment.
[CREDENTIALS_UNSAFE]: Features like auth save and state save manage sensitive credentials and session tokens. If these files are not properly secured or are accessed by unauthorized processes, it could lead to account takeover.
[DATA_EXFILTRATION]: Through the --allow-file-access flag, the agent can navigate to file:// URLs, allowing it to read local system files. Combined with the browser's networking capabilities, this presents a risk of sensitive data being read and sent to external servers.
[EXTERNAL_DOWNLOADS]: The download command allows the agent to save files from the internet directly to the local filesystem, which could be used to fetch malicious payloads.
[PROMPT_INJECTION]: The skill is a primary target for Indirect Prompt Injection because it ingests untrusted content from the web. 1. Ingestion points: Web page snapshots and text extraction (SKILL.md, references/snapshot-refs.md). 2. Boundary markers: Supports opt-in --content-boundaries with nonces to isolate page content (SKILL.md). 3. Capability inventory: Full browser control, JavaScript execution, file system access, and network interception (references/commands.md). 4. Sanitization: Includes optional domain allowlisting and action policies to restrict agent behavior.

agent-browser