The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to autonomously navigate websites and find elements using 'semantic queries' and 'natural language' via find_element_semantic().
Ingestion points: Website content extracted via get_page_structure() and the accessibility tree (File: SKILL.md).
Boundary markers: None identified; the skill directly processes external site structures to drive actions.
Capability inventory: Full browser control (click, type, navigate), parallel execution, and file writing via save_skill (File: SKILL.md).
Sanitization: No evidence of sanitization for website-provided labels or text content used in decision-making.
Credential Exposure & Data Exfiltration (HIGH): The 'Skill Recording' feature captures 'all type events (with values)'. This means any sensitive information, including passwords or PII entered during a recorded session, is stored in unencrypted, plain-text JSON files (e.g., skills/my_workflow.json).
Command Execution & Dynamic Logic (MEDIUM): The skill implements a domain-specific language (DSL) for browser automation within JSON files. Using play_skill_file() on an untrusted or modified JSON file results in the execution of arbitrary browser actions, which could be used for session hijacking or unauthorized data entry.
Metadata Poisoning & Deception (MEDIUM): The documentation makes several unverifiable and authoritative claims (e.g., '100% reliable', 'Built by Claude AI Architect') and suggests it is a 'team of Claude innovators.' These claims are designed to bypass critical user judgment regarding the safety and origin of the skill.

screen-control-operator-v3