The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill is designed to inherit the user's existing browser authentication state by accessing local profile directories.\n
Evidence: The PROFILES list in src/browser_harness/daemon.py references standard paths for Chrome, Edge, and Brave profiles on macOS, Linux, and Windows.\n
Context: This access allows the agent to interact with websites using the user's logged-in sessions, which is a core function but exposes sensitive data to the agent harness.\n- [COMMAND_EXECUTION]: The CLI entry point executes arbitrary code provided through standard input.\n
Evidence: exec(code, globals()) in src/browser_harness/run.py.\n
Context: This allows the agent to run complex Python logic to drive the browser, but it provides a direct path for executing unverified code on the host system.\n- [REMOTE_CODE_EXECUTION]: The skill provides instructions and code for running a remote shell script via a piped execution pattern.\n
Evidence: curl -fsSL https://browser-use.com/profile.sh | sh is referenced in src/browser_harness/admin.py and interaction-skills/profile-sync.md.\n
Context: While the script originates from the skill's author domain, piped remote execution is a high-risk behavior that bypasses local verification.\n- [PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection due to its primary purpose of scraping untrusted web content.\n
Ingestion points: goto_url and new_tab in src/browser_harness/helpers.py, along with various domain-specific extraction scripts.\n
Boundary markers: The skill does not employ specific delimiters or system instructions to prevent the agent from obeying commands embedded in scraped site data.\n
Capability inventory: The harness has the ability to execute shell commands (subprocess), arbitrary Python (exec), and perform network operations.\n
Sanitization: Extracted text and HTML from agent-workspace/domain-skills/ are returned directly to the agent's context without filtering or escaping.

browser