The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses management scripts to control Docker containers configured with ipc: host, which shares the host system's inter-process communication namespace and weakens the isolation boundary between the container and the host.
[EXTERNAL_DOWNLOADS]: The Docker container is configured to run npm install during its startup process to fetch the express and playwright libraries from the public NPM registry.
[REMOTE_CODE_EXECUTION]: The skill exposes an /evaluate endpoint that allows arbitrary JavaScript execution within the browser context. This browser is launched with the --no-sandbox and --disable-setuid-sandbox flags, which disables internal browser security protections and increases the risk of exploitation.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through web content processing. Ingestion points: Data is ingested from external websites via navigate.rb and the content extraction endpoints. Boundary markers: No markers are implemented to distinguish untrusted web data from agent instructions. Capability inventory: The skill allows for JavaScript execution, form interaction, and element clicking. Sanitization: No validation or sanitization is performed on ingested content or executed JavaScript expressions.
[DATA_EXFILTRATION]: The Playwright API server listens on 0.0.0.0 (all network interfaces) and is exposed to the host without any authentication mechanism, potentially allowing any entity on the local network to control the browser and access sensitive data.

playwright-browser