The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses sandbox.runCommand to execute a variety of operations within the ephemeral microVM. This includes system-level tasks like clearing package caches and installing dependencies with dnf, as well as operational tasks like managing browser sessions through the agent-browser CLI.
[EXTERNAL_DOWNLOADS]: During initialization, the skill downloads several dozen Linux system libraries required by Chromium from the default package repositories. It also installs the agent-browser utility globally via npm and uses npx to fetch additional browser binaries.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it extracts data from untrusted external websites, specifically page titles and accessibility trees (via agent-browser get title and agent-browser snapshot). This ingested content is returned to the agent without sanitization or boundary markers, which could allow a malicious webpage to influence subsequent agent actions.
Ingestion points: Page content, accessibility trees, and page titles retrieved from arbitrary URLs.
Boundary markers: None present in the example implementations.
Capability inventory: Access to runCommand allows execution of shell commands and filesystem access within the sandbox VM.
Sanitization: No sanitization of retrieved web content is performed before returning it to the calling agent.

vercel-sandbox