The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill frequently employs chrome-devtools.evaluate_script to execute arbitrary JavaScript within the user's active browser context. This is used for data extraction and page interaction, but it could be leveraged to execute malicious logic if the script content is influenced by data retrieved from untrusted web pages.
[COMMAND_EXECUTION]: Instructions in references/browser-recipes.md and SKILL.md direct the agent to use shell_command with native fetch tools like curl and Invoke-WebRequest to perform raw HTML fetches and download web assets.
[PROMPT_INJECTION]: The skill possesses a broad surface for indirect prompt injection because it processes live web content such as DOM snapshots, console messages, and network request data. It lacks specific defense mechanisms against instructions embedded in these external sources.
Ingestion points: Web data enters the agent's context through take_snapshot, list_console_messages, and get_network_request (documented in references/session-playbook.md).
Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are utilized when handling external web content.
Capability inventory: The agent has access to sensitive tools including shell_command, evaluate_script, and upload_file (documented in references/browser-recipes.md).
Sanitization: There is no evidence of input validation, escaping, or filtering of the content retrieved from processed pages.
[DATA_EXFILTRATION]: The skill is designed to operate within the user's current authenticated browser session, granting it access to sensitive cookies and login states. When combined with the skill's ability to perform network operations via shell_command, this creates a high-risk path for data exfiltration. Additionally, an automated security scan flagged the example URL https://xi-xu.me as appearing on a blacklist.

use-my-browser