The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The file prototypes/cloud/src/shared.ts contains a hardcoded absolute path to a sensitive environment file (.env.local) located in a specific developer's workspace (/Users/judegao/workspace/repo/agent-eval/.env.local). The associated loadEnv function attempts to read and inject these secrets into the process environment.\n- [COMMAND_EXECUTION]: The skill implements an eval command in src/cli.ts and src/daemon.ts that allows the AI agent to execute arbitrary JavaScript code within the browser context via page.evaluate. It also spawns a background daemon process using node.\n- [DATA_EXFILTRATION]: The network command in src/network.ts and src/cli.ts enables the agent to inspect detailed request and response data, including sensitive headers like Authorization and Cookie, which could be misused to harvest session tokens or credentials from the dev server traffic.\n- [EXTERNAL_DOWNLOADS]: Instructions in SKILL.md direct the agent to perform global package installations (npm install -g @vercel/next-browser) and download browser binaries (playwright install chromium). These operations target well-known registries and vendors.\n- [PROMPT_INJECTION]: The skill has a significant indirect prompt injection surface (Category 8) because it ingests untrusted data from web pages, logs, and network traffic without sanitization while maintaining powerful browser automation capabilities. Ingestion points: src/network.ts (response bodies), src/suspense.ts (suspender descriptions). Boundary markers: Absent. Capability inventory: browser-level evaluate, process spawn, and cookie management. Sanitization: Absent.

next-browser