The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to process untrusted data from the web, creating a significant attack surface for indirect instructions. * Ingestion points: Tools like browser_navigate and browser_snapshot (in SKILL.md) bring external, attacker-controlled content into the agent's reasoning context. * Boundary markers: Absent. There are no delimiters or specific instructions provided to the agent to ignore or isolate commands found within web pages. * Capability inventory: The skill provides dangerous capabilities including browser_click, browser_type, browser_fill_form, and browser_run_code (JS execution). * Sanitization: Absent. Web content is processed without escaping or filtering, allowing embedded instructions to potentially hijack the agent's workflow.
Unverifiable Dependencies (LOW): The scripts/start-server.sh script executes npx @playwright/mcp@latest. While the @playwright scope is associated with Microsoft (a trusted source), fetching @latest at runtime introduces a risk of supply chain shifts. Per [TRUST-SCOPE-RULE], this download is downgraded to LOW/INFO due to the trusted provider, but remains a notable behavior.
Remote Code Execution (HIGH): The browser_run_code and browser_evaluate tools documented in SKILL.md allow the agent to execute arbitrary JavaScript within the browser context. When combined with navigation to untrusted sites, this allows an attacker to potentially influence the agent to execute malicious scripts locally within the browser session.
Command Execution (LOW): The skill relies on several local shell scripts (start-server.sh, stop-server.sh) and subprocess calls in verify.py to manage the server lifecycle. These are standard operational requirements but represent a local execution footprint.

browsing-with-playwright