The Agent Skills Directory

[COMMAND_EXECUTION]: The SKILL.md file includes Bash in the allowed-tools list, providing the agent with the capability to execute shell commands on the local system. Although no explicit bash commands are defined in the role instructions, the broad permission represents an available attack surface.
[DYNAMIC_EXECUTION]: The skill utilizes mcp__chrome-devtools__evaluate_script within roles/tester/role.md and documented in specs/debug-tools.md to run arbitrary JavaScript in the browser context. While intended for inspecting application state, this tool allows for the dynamic execution of code during the debugging session.
[INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of untrusted data from web pages.
Ingestion points: Untrusted content enters the agent's context through DOM snapshots (mcp__chrome-devtools__take_snapshot), console messages (list_console_messages), and network logs (list_network_requests) in roles/reproducer/role.md and roles/tester/role.md.
Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the prompts for processing browser-retrieved data.
Capability inventory: The system allows for file modifications via the Edit tool and system command execution via the Bash tool.
Sanitization: There is no evidence of sanitization or validation of external browser data before it is analyzed by the analyzer or acted upon by the fixer role.

team-frontend-debug