The Agent Skills Directory

[DATA_EXFILTRATION]: The 'browser upload' command allows the agent to attach local files to web forms. This capability can be abused to exfiltrate sensitive files (e.g., SSH keys, configuration files, or credentials) from the local filesystem to a remote server if the agent is compromised or deceived by malicious instructions.
[DATA_EXFILTRATION]: The 'browser network' command captures and returns network traffic data, including request/reponse headers and bodies. This can expose sensitive information such as Bearer tokens, session cookies, and API keys to the agent's context.
[REMOTE_CODE_EXECUTION]: The 'browser eval' command enables the execution of arbitrary JavaScript within the browser's execution context. While the instructions recommend read-only usage, there is no technical enforcement preventing an agent from executing malicious logic on the target website.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. By ingesting content from untrusted websites via 'browser state', 'web read', or 'extract', the agent could be exposed to hidden instructions that trigger its dangerous capabilities (like file upload or network capture).
[PROMPT_INJECTION]: Mandatory Evidence Chain (Category 8): Ingestion points include 'browser state', 'get text', 'web read', and 'browser extract' in SKILL.md. Explicit boundary markers for untrusted data are absent. Capability inventory includes file uploads, network traffic capture, and arbitrary JavaScript execution. Sanitization of external content is not explicitly performed before interpolation into the agent context.
[COMMAND_EXECUTION]: The skill relies on the execution of a local binary 'opencli' via shell commands. While this is the intended functionality, it requires careful handling of arguments to prevent command injection if user-supplied strings are involved.

opencli-browser