The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted content from arbitrary URLs provided in the arguments, creating a surface for indirect prompt injection attacks where malicious web content could attempt to influence agent behavior.
Ingestion points: Untrusted data enters the agent context via browser_open on the user-provided <login-url> and through reading browser state like document.cookie via browser_eval.
Boundary markers: The skill does not define explicit delimiters or instructions to ignore embedded commands within the content it audits.
Capability inventory: The agent has access to Bash, Read, Write, and browser automation tools (fill, type, eval, click).
Sanitization: The skill includes instructions to use aidefence_scan and aidefence_is_safe to identify and redact PII or credentials before data is returned to the model, which significantly mitigates the risk of data exposure.

browser-auth-flow