The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The playwright-cli run-code command (documented in references/running-code.md) allows for the execution of arbitrary JavaScript within the browser context. This provides a direct interface for executing unverified code, which could be exploited to bypass security controls or perform malicious actions if the agent is manipulated by external input.
[DATA_EXFILTRATION] (MEDIUM): The skill includes comprehensive commands for accessing and exporting sensitive browser data. This includes state-save, cookie-list, localstorage-get, and sessionstorage-list (documented in references/storage-state.md). While these are functional for automation, they provide a high-fidelity pathway for exfiltrating authentication tokens and session data.
[COMMAND_EXECUTION] (MEDIUM): The skill is granted broad access to the shell via Bash(playwright-cli:*). Commands like playwright-cli install --skills and playwright-cli install-browser perform environment modifications and download external binaries, which can be risky if redirected.
[Indirect Prompt Injection] (LOW): The skill is designed to ingest untrusted data from the web, creating a vulnerability to indirect prompt injection.
Ingestion points: playwright-cli snapshot and playwright-cli eval ingest raw DOM and text content from websites into the agent's context.
Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions for ingested content.
Capability inventory: The skill possesses high-impact capabilities including run-code (arbitrary JS), fill (input manipulation), and state-save (credential access).
Sanitization: There is no evidence of sanitization or filtering of the web content before it is processed by the agent.

playwright-cli