The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions involve executing a wide range of shell commands via the agent-browser CLI to interact with the system and browser. This includes specific host-level commands like pbpaste to access the system clipboard.
[REMOTE_CODE_EXECUTION]: The skill explicitly instructs the agent to use eval for executing JavaScript directly within the browser context. This is suggested for extracting text from non-interactive DOM elements and managing JS dialogs, which provides a vector for code execution on remote pages.
[CREDENTIALS_UNSAFE]: The protocol outlines methods for passing sensitive credentials, such as tokens, usernames, and passwords, directly as command-line arguments and HTTP headers. This practice can expose secrets to system process monitors and shell history files.
[DATA_EXFILTRATION]: The skill provides commands for reading from and writing to the system clipboard and local files (e.g., uploads/downloads). These capabilities could be leveraged to move sensitive local data to remote web services.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external websites.
Ingestion points: Arbitrary web content accessed via the open command and DOM text extracted through eval strings (e.g., document.querySelector('#id').textContent).
Boundary markers: None identified; there are no instructions to use delimiters or ignore instructions found within the processed web data.
Capability inventory: Extensive capabilities including shell command execution, file system read/write, clipboard access, and browser-side JavaScript execution.
Sanitization: No validation or sanitization of the data retrieved from web pages is mentioned.

agent-browser-automate