The Agent Skills Directory

[Remote Code Execution / Dynamic Execution] (HIGH): The evaluate_script tool allows for the execution of arbitrary JavaScript within the browser context. This provides a mechanism for an agent (or an attacker via injection) to perform actions like scraping local storage, cookies, or interacting with the DOM to steal secrets.
[Data Exposure & Exfiltration] (HIGH): The skill documentation explicitly lists sensitive UI components as targets for the take_screenshot tool, including #settings-access-token-section, #billing-section, and #code-host-connections-section. Capturing these visual elements constitutes a significant exposure of high-value credentials and private information.
[Indirect Prompt Injection] (HIGH):
Ingestion points: Data loaded into the browser via navigate_page from local servers (localhost:7001, localhost:7002).
Boundary markers: None identified. The skill instructions encourage the agent to 'Analyze captured screenshots', creating a direct path for visual or textual instructions on a page to influence agent behavior.
Capability inventory: Includes arbitrary script execution (evaluate_script), browser navigation, and visual data exfiltration via screenshots.
Sanitization: Absent. There is no validation or filtering of the content being rendered by the local dev servers. If these servers display any user-controlled or external data, that data can be used to hijack the agent's session and use the evaluate_script tool to exfiltrate secrets.
[Command Execution] (MEDIUM): While primary tools are browser-focused, the documentation mentions checking .amp/dev-environment.txt for URLs, indicating file system access capabilities are expected to exist in the agent's environment alongside this skill.

ui-preview