The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides tools for browser interaction via the cmux CLI and includes instructions for executing local scripts like ./scripts/reload.sh. It also allows arbitrary JavaScript execution within the browser using eval, addscript, and addinitscript commands.
[PROMPT_INJECTION]: The skill exhibits a significant indirect prompt injection surface. It ingests untrusted data from the web through commands like snapshot, get html, and get text (as seen in SKILL.md and references/commands.md). There are no boundary markers or sanitization steps to protect against malicious instructions embedded in this web content. This is particularly concerning given the skill's extensive capabilities, including filesystem access (state save, screenshot --out) and dynamic code execution (eval).
[DATA_EXFILTRATION]: The skill can access and export sensitive browser data via cookies get, storage local get, and state save. The documentation also includes examples of form filling with the $PASSWORD environment variable. These capabilities could be abused to exfiltrate session data or credentials if the agent is manipulated by untrusted input.

cmux-browser