The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill provides a script (measurePagePerformance) that ingests a URL and uses Puppeteer to automate a browser. This creates an attack surface where a malicious website could attempt to influence the agent via processed page data or manipulated performance metrics.\n
Ingestion points: url parameter in the Puppeteer measurePagePerformance example.\n
Boundary markers: Absent in the provided template.\n
Capability: The script uses Puppeteer for navigation and JavaScript execution (page.evaluate).\n
Sanitization: None; the script extracts data from the global window.performance object without validation.\n- Data Exfiltration (SAFE): Performance metrics are sent to a relative path /api/metrics, which is a standard pattern for first-party telemetry and not an exfiltration risk.\n- Unverifiable Dependencies (SAFE): References standard packages like Puppeteer and React which are trusted in a web development context.\n- Credentials Unsafe (SAFE): No hardcoded secrets or sensitive configuration data identified in the markdown or code examples.

web-performance-optimization