The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides an eval command (and a Base64-encoded variant eval -b) that allows the execution of arbitrary JavaScript within the browser context. This provides a direct path for executing code that can manipulate web pages or exfiltrate data.
[COMMAND_EXECUTION]: The --allow-file-access flag permits the browser to access local system files via file:// URLs, which could be exploited to read sensitive local data if the agent is directed to a malicious local path.
[CREDENTIALS_UNSAFE]: The state save and session-name features export browser session data, including cookies and localStorage, to files. By default, these files are stored in plaintext, although the documentation mentions optional encryption via an environment variable.
[DATA_EXFILTRATION]: The skill contains multiple commands for extracting data, such as get text, snapshot, and clipboard read. These capabilities, combined with the ability to navigate to any URL, create a significant surface for exfiltrating sensitive information retrieved during a session.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because its primary function is to ingest and process untrusted content from the web.
Ingestion points: Untrusted data enters the context via agent-browser open and snapshot (SKILL.md).
Boundary markers: The AGENT_BROWSER_CONTENT_BOUNDARIES feature provides markers to delimit page content, but it is an opt-in security feature (SKILL.md).
Capability inventory: The skill has extensive file-write capabilities (screenshot, pdf, state save) and code execution (eval) (references/commands.md).
Sanitization: No explicit sanitization or filtering of web content is applied by default before it is returned to the agent context.
[EXTERNAL_DOWNLOADS]: The skill includes a download command to fetch files from the web and an install command that downloads the Chromium browser binary.

agent-browser