The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest and process content from arbitrary web pages which could contain malicious instructions.
Ingestion points: Data is ingested from the live web via browser navigate, browser extract, and browser observe commands (SKILL.md, REFERENCE.md).
Boundary markers: Absent. There are no instructions or delimiters defined to separate untrusted web content from agent instructions.
Capability inventory: The agent has access to the Bash tool, allowing for arbitrary command execution and file system writes (screenshots and downloads).
Sanitization: Absent. The skill passes web content directly to an AI model (Claude Haiku 4.5) for interpretation and action execution.
[COMMAND_EXECUTION]: The skill executes browser actions (clicking, typing, etc.) based on natural language descriptions provided to the browser act command, which can be influenced by website content or user input.
[CREDENTIALS_UNSAFE]: Persistent Browser Profile. The tool uses a persistent directory (.chrome-profile/) to store the browser's user data (REFERENCE.md). This directory contains session cookies and potentially saved passwords, which could be exposed if the local environment or the agent's file access is compromised.

stagehand-browser-cli