The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill's primary function is to interact with and process data from external websites, which serves as a potential vector for indirect prompt injection.
Ingestion points: Untrusted data enters the agent's context through tools like mcp__playwright__browser_navigate, mcp__playwright__browser_evaluate, and mcp__playwright__browser_snapshot.
Boundary markers: The skill does not specify any boundary markers or instructions to ignore embedded commands when processing content from the browser.
Capability inventory: The skill possesses extensive capabilities, including browser automation (navigation, clicks, keystrokes) and local command execution via a Python script.
Sanitization: There is no evidence of sanitization or filtering of the content retrieved from web pages.
[Unverifiable Dependencies & Remote Code Execution] (LOW): The skill documentation instructs the user to install an unversioned third-party package.
Evidence: The skill requires pillow for image diffing and suggests using pip install pillow in SKILL.md.
Risk: Unversioned package installations are a minor security concern related to environment stability and supply chain integrity.
[Dynamic Execution] (SAFE): The skill executes a bundled Python script for visual regression testing.
Evidence: scripts/imgdiff.py is invoked to compare image files.
Analysis: The script is a standard utility included with the skill and performs limited image processing using the Pillow library without dangerous system or network calls.

playwright-testing