The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection via external web content. \n
Ingestion Points: Data enters the agent context through mcp__playwright__browser_snapshot (HTML content), mcp__playwright__browser_console_messages (JavaScript logs), and mcp__playwright__browser_network_requests (API metadata/responses) from URLs specified via the --url argument. \n
Boundary Markers: Absent. There are no instructions to the agent to treat page content as untrusted or to ignore instructions embedded in the target site. \n
Capability Inventory: The skill uses the Edit tool to modify local files when the --fix flag is used, and the mcp__playwright suite for browser control. \n
Sanitization: Absent. There is no evidence of sanitization or validation of the content retrieved from the browser before it is used to determine 'suggested fixes'. \n- [COMMAND_EXECUTION] (HIGH): The --fix functionality allows the agent to modify the filesystem using the Edit tool based on its interpretation of external data. An attacker could host a page that produces specific console errors or network failures designed to trick the agent into applying a malicious 'fix' to the local codebase. \n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill is designed to navigate to and interact with arbitrary external URLs. While necessary for its stated purpose, this provides the primary vector for data ingestion from untrusted sources. Note: Automated scanners flagged 'r.url.in' as malicious, but this appears to be a false positive caused by a substring match within the legitimate code r.url.includes. \n- [REMOTE_CODE_EXECUTION] (LOW): The skill executes JavaScript within a browser context (Playwright). While sandboxed, this is a form of remote code execution on the target URL content.

dev-test