The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The bu.sh script includes logic to automatically install the uv package manager if it is missing. On Unix-like systems, it fetches and executes a script from https://astral.sh/uv/install.sh. On Windows, it uses a PowerShell command to fetch and execute https://astral.sh/uv/install.ps1. These are established sources for the tool.
[EXTERNAL_DOWNLOADS]: The skill's configuration (pyproject.toml) specifies a dependency on the browser-use library directly from its GitHub repository (github.com/browser-use/browser-use.git), which is downloaded and installed during the initial setup.
[PROMPT_INJECTION]: The recipe.py script implements a recipe system that is susceptible to indirect prompt injection. Data extracted from a web page in one step (using the eval tool) can be stored in a context variable and then interpolated into the JavaScript code of a subsequent eval step using Python's format_map. An attacker controlling a website visited by the skill could potentially craft content that, when extracted and re-executed, runs arbitrary JavaScript in the browser session.
Ingestion points: Data is extracted from web pages via eval steps in recipe.py and stored in the ctx dictionary.
Boundary markers: No boundary markers or instructions are used when interpolating data into subsequent steps.
Capability inventory: The skill has the ability to interact with the browser, execute arbitrary JavaScript, and access Chrome profiles.
Sanitization: There is no escaping or validation of the data extracted from pages before it is used in subsequent command interpolation.
[COMMAND_EXECUTION]: The skill executes shell commands via the bu.sh wrapper script and subprocess.run in recipe.py. These calls use list-based arguments to prevent direct command injection. The skill also allows for arbitrary Python and JavaScript execution as part of its core functionality.

browser-use