Run any Skill in Manus with one click

$pwd:

kuri-agent

Name: Kuri Agent
Author: justrach

// Use kuri-agent to automate Chrome — navigate pages, interact with elements via a11y refs, capture screenshots, run security audits, enumerate cookies/JWTs, probe for IDOR vulnerabilities, and make authenticated fetches. Use when the user wants to automate a browser, test a web app, scrape data, or run security trajectories against a live site.

Run Skill in Manus

$ git log --oneline --stat

stars:325

forks:18

updated:March 16, 2026 at 10:08

SKILL.md

readonly

name	kuri-agent
description	Use kuri-agent to automate Chrome — navigate pages, interact with elements via a11y refs, capture screenshots, run security audits, enumerate cookies/JWTs, probe for IDOR vulnerabilities, and make authenticated fetches. Use when the user wants to automate a browser, test a web app, scrape data, or run security trajectories against a live site.
argument-hint	[command] [args...]
allowed-tools	Bash

kuri-agent — Agentic Chrome CLI

kuri-agent drives Chrome via CDP. It stores session state in ~/.kuri/session.json so commands chain together naturally.

Binary location

After building: ./zig-out/bin/kuri-agent After installing to PATH: kuri-agent

Build: zig build agent -Doptimize=ReleaseFast

Workflow

Every session follows this pattern:

# 1. Find a Chrome tab
kuri-agent tabs
# → [{"id":"ABC...","url":"https://...","ws":"ws://127.0.0.1:9222/devtools/page/ABC..."}]

# 2. Attach to a tab
kuri-agent use ws://127.0.0.1:9222/devtools/page/ABC...

# 3. Navigate + interact
kuri-agent go https://example.com
kuri-agent snap --interactive    # get clickable elements as @eN refs
kuri-agent click e2
kuri-agent type e3 "hello world"
kuri-agent shot                  # screenshot → ~/.kuri/screenshots/<ts>.png

All commands

Discovery & session

kuri-agent tabs [--port N]       # list Chrome tabs (default port 9222)
kuri-agent use <ws_url>          # attach to tab, save session
kuri-agent status                # show current session

Navigation

kuri-agent go <url>
kuri-agent back / forward / reload

Page inspection

kuri-agent snap                          # full a11y snapshot (JSON with @eN refs)
kuri-agent snap --interactive            # only interactive elements
kuri-agent snap --text                   # plain text output
kuri-agent snap --depth 3                # limit tree depth
kuri-agent text                          # get all page text
kuri-agent text "css-selector"           # get text of a specific element
kuri-agent eval "document.title"         # run JavaScript
kuri-agent shot [--out path.png]         # take screenshot

Actions (require a prior snap)

kuri-agent click <ref>           # ref is @e3 or e3
kuri-agent type <ref> <text>
kuri-agent fill <ref> <value>
kuri-agent select <ref> <value>
kuri-agent hover <ref>
kuri-agent focus <ref>
kuri-agent scroll

Security testing

kuri-agent cookies               # list cookies with [Secure] [HttpOnly] [SameSite] flags
kuri-agent headers               # check security response headers (CSP, HSTS, X-Frame-Options)
kuri-agent audit                 # full audit: HTTPS + headers + JS-visible cookies, outputs score/issues
kuri-agent storage [local|session|all]   # dump localStorage / sessionStorage
kuri-agent jwt                   # scan storage+cookies for JWTs, decode and print payloads
kuri-agent fetch <METHOD> <url> [--data <json>]  # authenticated fetch using session cookies + headers
kuri-agent probe <url-template> <start> <end>    # IDOR probe: replaces {id} with start..end

Auth headers (persisted across commands)

kuri-agent set-header Authorization "Bearer eyJ..."
kuri-agent set-header X-Custom-Auth "my-token"
kuri-agent show-headers          # print stored headers
kuri-agent clear-headers         # remove all stored headers

Headers set with set-header are automatically applied via Network.setExtraHTTPHeaders on every subsequent CDP connection.

Security trajectory examples

Enumerate cookies after login

kuri-agent go https://target.example.com
kuri-agent cookies
# cookies (2):
#   session_id  domain=.example.com  [Secure] [HttpOnly] [SameSite=Strict]
#   csrf_token  domain=.example.com  [Secure] [!HttpOnly]

Full security audit

kuri-agent audit
# → {"protocol":"https:","score":4,"issues":["MISSING:content-security-policy","COOKIES_EXPOSED_TO_JS:2"]}

Find and decode JWTs

kuri-agent jwt
# → {"found":1,"tokens":[{"source":"localStorage:token","payload":{"sub":"123","role":"student"}}]}

IDOR probe — enumerate resource IDs

kuri-agent set-header Authorization "Bearer eyJ..."
kuri-agent probe "https://api.example.com/v2/courses/{id}/assessments" 30 40
# → [{"id":30,"status":403},{"id":34,"status":200},{"id":35,"status":403}]

Authenticated fetch with different token

kuri-agent fetch GET "https://api.example.com/v2/user"
kuri-agent fetch POST "https://api.example.com/v2/submissions" --data '{"score":100}'

Output tips

All commands output JSON. audit and headers return CDP wrapper — extract with:

kuri-agent audit | jq '.result.result.value | fromjson'
kuri-agent headers | jq '.result.result.value | fromjson | .headers'

Tips

Always run snap before using click/type/fill — it saves the @eN refs to session
set-header is persistent — set auth token once, all fetch/probe/go commands use it
Use eval for arbitrary JS: kuri-agent eval "localStorage.getItem('token')"
probe reports status per ID — look for 200s on IDs you should not have access to
Chain commands in shell scripts for automated security trajectories

related-skills.json

same repository

kuri-ios.md

from "justrach/kuri"

Use kuri-ios to drive iOS Simulators from the CLI — list sims, boot/shutdown, navigate Safari to URLs (openurl), launch and terminate apps by bundle id, capture PNG screenshots, list installed apps, and (on the Simulator only) tap, doubletap, longpress, swipe/pan, and type via native CGEvent into the Simulator window. Real iPhones over USB are supported for listing and launch/terminate via usbmuxd + xcrun devicectl. Tap/swipe/type/uitree on real devices and uitree on the Simulator are NOT supported in v1 (require XCUITest). Multi-touch (pinch, rotate, two-finger pan) and hardware buttons (Home, Lock, Volume) are not wired yet. Trigger phrases include "screenshot the iPhone sim", "tap on iOS simulator", "doubletap iOS sim", "long press iOS sim", "swipe up on iPhone sim", "pan the iOS simulator", "type into iOS simulator", "open Safari on simulator", "launch iOS Settings", "list booted simulators".

2026-05-20325

kuri-android.md

from "justrach/kuri"

Use kuri-android to drive Android devices and emulators from the CLI via a native Zig adb wire-protocol client. Tap, swipe (scroll), double-tap, long-press, type text, press hardware/navigation keys, take PNG screenshots, dump the UI tree as a flat element list, launch/terminate apps by package, list installed packages, and list attached devices. Talks adb directly over TCP 127.0.0.1:5037 — never shells out to the `adb` binary at runtime. Trigger phrases include "tap on android phone", "screenshot the emulator", "list connected android devices", "dump the android ui tree", "launch chrome on android".

2026-05-07325

kuri-mobile.md

from "justrach/kuri"

Umbrella skill for mobile device control in the kuri ecosystem. Points to kuri-ios (iOS Simulator + real-device listing) and kuri-android (native Zig adb client). Use this when the user asks about "mobile automation" generally, or hasn't specified a platform. For platform-specific work prefer the `kuri-ios` or `kuri-android` skill directly.

2026-05-07325

kuri-server.md

from "justrach/kuri"

Use kuri-server to automate Chrome via HTTP API — navigate pages, get a11y snapshots, interact with elements, capture network traffic (HAR), extract cookies, and bypass bot protection. Use when the user wants to browse websites, scrape data, fill forms, test web apps, or interact with protected sites via a headless browser. Trigger phrases include "browse to", "open the page", "get the page content", "fill the form", "capture network traffic", "get cookies", "bypass bot protection".

2026-04-26325

kuri-browse.md

from "justrach/kuri"

Use kuri-browse for quick terminal-based web browsing — fetch and read web pages as markdown, follow links, search in-page. No Chrome needed. Use when the user wants to quickly read a webpage, check documentation, or browse without launching a full browser. Trigger phrases include "read this page", "fetch the docs", "browse to", "what does this page say".

2026-04-09325

package.json

"author": "justrach"

"repository": "justrach/kuri"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

kuri-agent

kuri-agent — Agentic Chrome CLI

Binary location

Workflow

All commands

Discovery & session

Navigation

Page inspection

Actions (require a prior snap)

Security testing

Auth headers (persisted across commands)

Security trajectory examples

Enumerate cookies after login

Full security audit

Find and decode JWTs

IDOR probe — enumerate resource IDs

Authenticated fetch with different token

Output tips

Tips

More from this repository

More from this repository

kuri-agent — Agentic Chrome CLI

Binary location

Workflow

All commands

Discovery & session

Navigation

Page inspection

Actions (require a prior snap)

Security testing

Auth headers (persisted across commands)

Security trajectory examples

Enumerate cookies after login

Full security audit

Find and decode JWTs

IDOR probe — enumerate resource IDs

Authenticated fetch with different token

Output tips

Tips