The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The bb-browser site update command is used to fetch 'community adapters' from a remote source. These adapters are external logic files whose source and integrity are not specified, creating a risk of downloading unverified content.
[REMOTE_CODE_EXECUTION]: Since 'adapters' define how the tool interacts with and parses websites, downloading and running community-contributed adapters from an unknown source effectively allows for the execution of external logic within the agent's environment.
[COMMAND_EXECUTION]: The skill heavily relies on the execution of the bb-browser binary via Bash commands to perform scraping, data filtering, and adapter management.
[DATA_EXFILTRATION]: A core feature of the skill is utilizing the user's existing browser login state (cookies/sessions) to access data on platforms like Twitter, Reddit, and GitHub. While this is the intended functionality, it creates a significant risk if malicious adapters are retrieved, as they could access and exfiltrate sensitive session information or private user data.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it processes content from 36+ external platforms (e.g., social media threads, search results, and knowledge bases).
Ingestion points: Untrusted data enters the agent context from various third-party websites via bb-browser commands.
Boundary markers: The instructions do not define delimiters or specific markers to prevent the agent from following instructions embedded within the scraped content.
Capability inventory: The agent has the ability to execute shell commands (bb-browser) and is instructed that it can reverse-engineer APIs and submit Pull Requests.
Sanitization: There is no mention of sanitizing or filtering the retrieved web data to remove potentially malicious instructions before processing.

bb-browser-openclaw