The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes a dynamic loading mechanism (referenced in loader.ts) that automatically registers and executes TypeScript (.ts) and YAML files dropped into the clis/ directory. This pattern allows for the execution of arbitrary code if unauthorized files are placed in that folder.
[CREDENTIALS_UNSAFE]: The setup instructions guide users to export a sensitive PLAYWRIGHT_MCP_EXTENSION_TOKEN into plain-text shell configuration files such as ~/.zshrc or ~/.bashrc, increasing the risk of credential exposure to other local processes or users.
[DATA_EXFILTRATION]: The skill's primary function includes extracting authentication tokens, cookies, and headers from the user's active browser session (localStorage, sessionStorage) to perform automated actions, which involves handling highly sensitive user data.
[PROMPT_INJECTION]: The tool performs 'AI-powered command discovery' by exploring external websites to synthesize adapters. This creates an indirect prompt injection surface where a malicious website could host content designed to influence the code generation or the agent's interpretation of site capabilities.
Ingestion points: The opencli explore command reads and processes arbitrary web content from external URLs.
Boundary markers: No specific boundary markers or 'ignore' instructions are documented to distinguish site content from system instructions during synthesis.
Capability inventory: The skill has the ability to write to the local file system (.opencli/ directory), perform network requests, and execute browser automation scripts.
Sanitization: No explicit sanitization or validation of the scraped data is mentioned before it is used to 'synthesize' adapters.
[EXTERNAL_DOWNLOADS]: The installation process fetches the @jackwener/opencli package and recommends the Playwright MCP Bridge extension from the Chrome Web Store. These resources are hosted on third-party registries outside the vendor's direct infrastructure.

opencli-web-automation