The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The screenshot.js script is vulnerable to shell command injection in the compressImageIfNeeded function. The --output argument is interpolated into a shell command string executed via execSync. An attacker can execute arbitrary commands on the host system by providing a filename with shell metacharacters like ; or $(). Evidence: scripts/screenshot.js (lines 50, 68).
[REMOTE_CODE_EXECUTION] (HIGH): The evaluate.js tool uses eval() within page.evaluate() to execute arbitrary JavaScript in the browser context. This capability allows for complete session hijacking and data theft if used on malicious or compromised websites. Evidence: scripts/evaluate.js (line 34).
[COMMAND_EXECUTION] (MEDIUM): The installation process requires sudo privileges to install system-level dependencies, which increases the attack surface during the initial skill setup. Evidence: scripts/install-deps.sh.
[PROMPT_INJECTION] (LOW): The skill is highly vulnerable to Indirect Prompt Injection. 1. Ingestion points: snapshot.js (DOM content), console.js (logs), and network.js (network traffic). 2. Boundary markers: Absent. 3. Capability inventory: Arbitrary JavaScript execution (evaluate.js), form interaction (fill.js), and potential host shell access via the screenshot.js vulnerability. 4. Sanitization: Absent. The skill transfers raw browser data to the agent without filtering for malicious instructions.

chrome-devtools