The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructions direct the agent to install the agent-browser tool using npm, brew, or cargo. Additionally, the command agent-browser install downloads Chrome/Chromium binaries from remote sources, and agent-browser upgrade fetches updates for the tool. Use of the Lightpanda engine also involves external downloads.
[COMMAND_EXECUTION]: The skill relies on executing shell commands via the Bash tool. It specifically includes an eval command that allows for the execution of arbitrary JavaScript code within the browser context, which is a powerful capability for automation but poses a risk if executing untrusted code.
[DATA_EXFILTRATION]: The tool possesses significant data extraction capabilities, including taking screenshots (screenshot), generating PDFs (pdf), and downloading files (download). It can also access the system clipboard using agent-browser clipboard read and stream browser session data over WebSockets via agent-browser stream enable or the background dashboard server.
[CREDENTIALS_UNSAFE]: By default, browser authentication states (cookies and local storage) are saved in plaintext JSON files (e.g., auth.json). While the tool supports encryption via the AGENT_BROWSER_ENCRYPTION_KEY environment variable, the default behavior exposes session tokens on the local filesystem.
[PROMPT_INJECTION]: The skill is inherently exposed to indirect prompt injection because it processes content from arbitrary websites. A malicious page could embed instructions intended to manipulate the agent's behavior. The skill includes a --content-boundaries flag and domain allowlisting as mitigations, but the risk persists when interacting with untrusted web content.
[COMMAND_EXECUTION]: The --allow-file-access flag enables the browser to access local files using the file:// protocol, which could lead to unauthorized data exposure if an agent is tricked into navigating to a local path or file during a session.

agent-browser