The Agent Skills Directory

[PROMPT_INJECTION]: The SKILL.md file contains a directive instructing the agent to 'DO NOT read the source' of scripts before execution. This is a deceptive instruction that attempts to bypass the agent's auditing process and security reasoning, potentially allowing malicious logic in the scripts to run undetected.
[COMMAND_EXECUTION]: The script 'scripts/with_server.py' uses 'subprocess.Popen' with 'shell=True' to execute strings passed directly from command-line arguments. This pattern allows for arbitrary shell command execution and is highly vulnerable to injection if the input is influenced by untrusted data.
[DATA_EXFILTRATION]: The skill implements automated browser capture of console logs and screenshots, saving them to persistent storage paths like '/mnt/user-data/outputs/'. While functional for testing, these capabilities can be repurposed to exfiltrate sensitive data from local web applications.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes content from external web pages and browser console logs without sanitization. Ingestion points: 'examples/element_discovery.py' and 'examples/console_logging.py' read element text and console messages into the agent's context. Boundary markers: No delimiters or explicit instructions are provided to help the agent distinguish untrusted web content from its core task. Capability inventory: The 'scripts/with_server.py' utility provides powerful shell execution capabilities. Sanitization: There is no logic present to filter, escape, or validate data fetched via Playwright.

webapp-testing