The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to the lack of boundary markers when ingesting untrusted web data. An attacker could potentially embed malicious instructions in a web page that the agent visits. \n
Ingestion points: The skill retrieves and processes HTML elements, text content, and metadata from arbitrary URLs provided to the browser (SKILL.md, references/snapshot-refs.md). \n
Boundary markers: There are no defined delimiters or specific instructions within the prompt templates to distinguish between agent instructions and untrusted data fetched from the web. \n
Capability inventory: The skill possesses high-privilege capabilities including arbitrary JavaScript execution (execute), file uploads (upload), and automated browser interaction (interact), which could be leveraged if the agent follows instructions embedded in processed content (references/commands.md). \n
Sanitization: The skill does not appear to perform sanitization or filtering of the web content before presenting it to the agent. \n- [EXTERNAL_DOWNLOADS]: The documentation provides links to external resources for installing required CLI tools, specifically pointing to a repository on GitHub for the inference-sh organization (SKILL.md). \n- [COMMAND_EXECUTION]: The skill features an execute function that allows the agent to run arbitrary JavaScript code within the context of the active browser page. While necessary for automation, this represents a significant capability that could be misused if the agent's logic is compromised (references/commands.md). \n- [DATA_EXFILTRATION]: The skill is designed to extract information from web pages, including text, links, screenshots, and videos. It also explicitly documents how to extract cookies from the browser session. These are intended features for browser automation but involve the handling of potentially sensitive data (references/authentication.md, references/video-recording.md).

agent-browser