The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on executing a Node.js script using a hardcoded absolute file path: /Users/avifen/.agentsys/plugins/web-ctl/scripts/web-ctl.js. Hardcoding paths in a specific user's home directory is a security risk in multi-user environments and can lead to execution failures or hijacking if an attacker controls the specified directory structure.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted content from external web pages. Although the skill includes a defensive warning block and suggests using [PAGE_CONTENT: ...] delimiters, it ultimately relies on the agent's ability to follow these instructions to avoid executing malicious commands found in page text.
Ingestion points: Content retrieved from web pages during authentication and verification steps.
Boundary markers: Suggests the use of [PAGE_CONTENT: ...] as a delimiter for untrusted text.
Capability inventory: Executes local shell commands via Node.js, manages browser sessions, and persists credentials in storage.
Sanitization: No programmatic sanitization of page content is described; the skill relies on the agent's adherence to safety instructions.
[EXTERNAL_DOWNLOADS]: The skill documentation describes the installation of external dependencies, including Microsoft's Playwright library (npx playwright install chromium) and system utilities such as Xvfb, x11vnc, and novnc. While these are well-known tools from trusted sources, they represent an expanded attack surface on the host system.

web-auth