The Agent Skills Directory

[PROMPT_INJECTION]: The skill is primarily designed to ingest untrusted data from the web through functions like scrapeData(url) and page.goto(url). This creates a surface for Indirect Prompt Injection, where instructions embedded in a target website could attempt to override the agent's behavior.
Ingestion points: Web content is ingested via page.goto() and extracted using page.evaluate() or page.$$eval() in multiple examples within SKILL.md.
Boundary markers: No boundary markers or "ignore instructions" warnings are included in the examples for handling external web content.
Capability inventory: The skill allows high-privilege tools including Bash, and the automation logic includes file uploads (uploadFile), cookie management, and network request interception.
Sanitization: There is no evidence of sanitization, filtering, or validation of the content scraped from external URLs before it is processed by the agent.
[COMMAND_EXECUTION]: The skill frontmatter explicitly enables the Bash tool. When combined with the ability to download files via the browser or interact with the local filesystem (as seen in the uploadFile and pdf/screenshot examples), this provides a high-privilege environment that increases the impact of potential exploitation.
[EXTERNAL_DOWNLOADS]: The automation scripts are designed to navigate to and interact with arbitrary external URLs. While the libraries themselves (Puppeteer, Playwright) are well-known, the operation of the skill involves the execution of remote web assets and potentially the download of files to the local system.
[SAFE]: The browser launch configuration includes --no-sandbox and --disable-setuid-sandbox. While these flags significantly weaken the browser's internal security model, they are documented as standard practice for running headless Chrome in certain restricted environments (like Docker containers) and do not indicate malicious intent by the author.

chrome-automation