The Agent Skills Directory

[COMMAND_EXECUTION]: The helper script scripts/with_server.py uses subprocess.Popen with shell=True to execute server commands provided via the --server argument. It also uses subprocess.run to execute the final automation command. This allows for arbitrary shell command execution on the host system.
Evidence: process = subprocess.Popen(server['cmd'], shell=True, ...) and result = subprocess.run(args.command) in scripts/with_server.py.
[DATA_EXFILTRATION]: Example scripts capture browser console logs and screenshots, saving them to local file paths. If the web application under test outputs sensitive information (e.g., tokens, PII) to the console, this data could be exposed or exfiltrated if the output directory is accessible to an attacker.
Evidence: page.on("console", handle_console_message) and with open('/mnt/user-data/outputs/console.log', 'w') as f: in examples/console_logging.py.
[PROMPT_INJECTION]: The SKILL.md file contains instructions that could be interpreted as a form of indirect prompt injection by discouraging the agent from reading the source code of the scripts and instead relying on running them with --help. This 'black-box' approach could hide malicious behavior within the scripts from the agent's analysis.
Evidence: 'DO NOT read the source until you try running the script first... These scripts can be very large and thus pollute your context window.' in SKILL.md.

webapp-testing