The Agent Skills Directory

[DATA_EXFILTRATION]: The interact function, documented in SKILL.md and references/commands.md, supports an upload action that accepts local file_paths. This allows the agent to read and upload files from the host system to remote web servers. This capability could be exploited to exfiltrate sensitive files such as SSH keys, environment secrets, or cloud credentials if the agent is misdirected.
[COMMAND_EXECUTION]: The execute function, described in references/commands.md, enables the execution of arbitrary JavaScript within the browser session. While limited to the browser environment, this can be used to access sensitive session information; the authentication patterns in references/authentication.md explicitly demonstrate using this to extract session cookies via document.cookie.
[PROMPT_INJECTION]: The skill is designed to navigate to and process content from external, untrusted websites, creating a surface for indirect prompt injection. * Ingestion points: External URLs and their content processed via the open and snapshot functions in SKILL.md. * Boundary markers: The instructions do not implement delimiters or warnings to prevent the agent from following instructions embedded in the retrieved web content. * Capability inventory: The agent has access to sensitive tools including JavaScript execution and local file uploading. * Sanitization: No explicit sanitization or filtering of the retrieved DOM content was found in the provided instruction files.

agent-browser