The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill implements an update check mechanism in SKILL.md that fetches a version manifest (versions.json) from the author's GitHub repository at https://raw.githubusercontent.com/abpai/skills/main/versions.json.
[REMOTE_CODE_EXECUTION]: If an update is detected, the skill instructs the agent to prompt the user to run npx skills update agent-browser. This involves downloading and executing code from the NPM registry.
[COMMAND_EXECUTION]: The agent-browser eval command allows the agent to execute arbitrary JavaScript within the browser context. This is a core feature documented for both plaintext and Base64-encoded scripts to handle complex logic or bypass shell escaping issues.
[DATA_EXFILTRATION]: The skill provides extensive tools for data extraction, including taking screenshots, generating PDFs, and reading page text (get text). While intended for automation, these tools could be used to extract sensitive information from authenticated web sessions.
[PROMPT_INJECTION]: As a tool designed to process web content, the skill has an inherent surface for Indirect Prompt Injection. Malicious instructions on a web page could be ingested through commands like snapshot or get text and subsequently interpreted by the agent.
Ingestion points: Untrusted data enters the agent context via agent-browser snapshot and agent-browser get text (as seen in SKILL.md and references/commands.md).
Boundary markers: The skill offers an optional --content-boundaries flag to wrap page content in unique nonce-based markers, though this is not enabled by default in the primary workflow examples.
Capability inventory: The environment allows the agent to execute Bash commands, providing a significant capability tier for injected instructions to exploit.
Sanitization: The skill provides mechanism for boundary markers but does not perform default sanitization or filtering of the web content before it is returned to the agent.

agent-browser