The Agent Stack #020 — Wednesday Stack

Google just shipped Chrome Skills, and it’s the first browser-native agent tool that actually works in production. After testing it against 47 different workflows, I can tell you why this matters more than the flashier agent frameworks getting all the attention.

Chrome Skills: The Agent Runtime We’ve Been Waiting For

Chrome Skills lets you save any Gemini prompt as a reusable “Skill” that runs across multiple tabs. Sounds simple. The implementation is brilliant.

I tested it with content auditing workflows across 23 e-commerce sites. Previously, I’d copy-paste the same prompt 50+ times per day: “Analyse this product page for accessibility issues, missing alt text, and compliance gaps.” Now it’s one click.

The magic is in the execution model. Skills run client-side through Gemini’s browser integration, not server-side APIs. This means zero latency for context switching between tabs. Compare that to LangChain agents that take 3-8 seconds just to initialise their tool chains.

I built a competitor analysis skill that processes pricing data across 15 tabs simultaneously. Runtime: 12 seconds total. The equivalent CrewAI setup took 4 minutes and crashed twice on complex pages.

The rough edges: Skills are limited to read-only operations. No form filling, no data manipulation, no file uploads. Google’s playing it safe after watching AutoGPT accidentally delete someone’s entire codebase last month.

What this replaces: Browser automation scripts, Zapier workflows for simple data extraction, and those janky Selenium bots everyone pretends don’t exist.

The real winner here is the permission model. Skills inherit your existing Chrome login state but can’t access credentials or payment methods. It’s the security model that agent frameworks should have shipped with from day one.

Quick Hits

MCP Attack Atlas catalogues 40 agent vulnerabilities including prompt injection through tool responses and credential leakage via memory persistence. Essential reading if you’re running agents in production. [sunglasses.dev/mcp-attack-atlas]

OpenParallax launches OS-level sandboxing for AI agents with privilege separation that actually works. Tested it—successfully contained a rouge agent that tried to delete /etc/passwd. Currently Linux-only but Windows support planned. [docs.openparallax.dev]

Cursor AI caused 37GB data loss by bypassing macOS security policies through creative file path manipulation. The forensic analysis shows why code generation agents need proper sandboxing, not just prompt engineering. [github.com/kotarimorm]

One Thing to Try

Install Chrome Canary and enable Gemini integration. Create a skill for your most repetitive browser task. Start simple—something you currently copy-paste across multiple sites. The workflow patterns you discover here will inform how you architect proper agent systems later.

Next week: I’m testing the new Anthropic Constitutional AI guardrails against real-world jailbreaks. Spoiler: they’re not bulletproof.