The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes external commands and local scripts to perform its tasks.
Evidence: SKILL.md instructions specify running node ${CLAUDE_SKILL_DIR}/scripts/evaluate.mjs.
Evidence: The script scripts/evaluate.mjs uses execFileSync to execute the browse CLI tool (lines 201-213).
[REMOTE_CODE_EXECUTION]: The skill dynamically generates and installs new agent capability files to the user's persistent skill directory.
Evidence: SKILL.md Step 3 and the 'After all iterations' section describe generating a new SKILL.md file and writing it to ~/.claude/skills/<task-name>/SKILL.md.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from external websites.
Ingestion points: Website data (accessibility trees and text) is ingested via the browse snapshot and browse get text commands within scripts/evaluate.mjs (lines 35-65).
Boundary markers: The inner agent's system prompt (lines 222-300 of scripts/evaluate.mjs) uses section headers but lacks robust delimiters or specific instructions to ignore embedded commands in the web content.
Capability inventory: The skill has access to the Agent tool (for spawning sub-agents), the Bash tool, and the ability to write files and execute the browse CLI.
Sanitization: No sanitization or safety filtering of the ingested website content is performed before it is presented to the agent reasoning loop.
[EXTERNAL_DOWNLOADS]: The skill relies on and instructs the user to install external dependencies and tools.
Evidence: README.md and package.json list dependencies on @anthropic-ai/sdk and dotenv, and specify the installation of the browse CLI via npm.

autobrowse