The Agent Skills Directory

[COMMAND_EXECUTION]: The utility script scripts/with_server.py uses subprocess.Popen with shell=True to execute server commands provided via arguments. This allows for the execution of arbitrary shell commands, which could be exploited to run unintended processes if the command strings are sourced from unvalidated data.
Evidence: Found in scripts/with_server.py at line 81: process = subprocess.Popen(server['cmd'], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).
[PROMPT_INJECTION]: The skill facilitates the ingestion and processing of external web content, creating a surface for indirect prompt injection attacks. Malicious instructions embedded in the HTML or text of a visited website could potentially override the agent's current task or instructions.
Ingestion points: The skill uses page.content() and evaluate to extract data from websites (referenced in SKILL.md and AGENTS.md).
Boundary markers: No specific delimiters or "ignore instructions" markers are used when interpolating web content into prompts.
Capability inventory: The agent has access to subprocess.run, file system writing (to /mnt/user-data/outputs/ and /tmp/), and full browser control.
Sanitization: No explicit sanitization or filtering of the scraped content is performed before processing.

Browser Automation Expert