The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (HIGH): The page.eval operation (documented in SKILL.md and references/page.md) allows for the execution of arbitrary JavaScript within the browser context. This is a high-risk capability that can be exploited if the agent evaluates content derived from untrusted web pages.\n- Data Exposure & Exfiltration (HIGH): The skill includes operations such as auth.cookies and auth.show (in references/auth.md) that explicitly retrieve and display browser session cookies and authentication metadata. This presents a direct path for sensitive credential exfiltration. Additionally, the skill automatically injects credentials from ./playwright/auth/*.json.\n- Persistence Mechanisms (HIGH): The scripts/start-daemon.sh script launches a persistent pw daemon using nohup and disown. This allows the browser control infrastructure to remain active in the background, potentially facilitating long-term unauthorized access or monitoring.\n- Indirect Prompt Injection (LOW): The skill is designed to ingest large amounts of untrusted data from the web via operations like page.text, page.html, and page.read (in references/page.md).\n
Ingestion points: untrusted web content is loaded into the agent's context through various page-reading operations.\n
Boundary markers: None. There are no instructions to the agent to treat data from the browser as untrusted or to ignore embedded instructions.\n
Capability inventory: The agent has access to powerful tools including JS execution (page.eval), cookie extraction (auth.cookies), and background process management.\n
Sanitization: No evidence of sanitization, filtering, or validation of the content retrieved from web pages.

pw