The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process external 'Blueprints' via the blueprint-url parameter and the --blueprint CLI flag.
Ingestion points: https://playground.wordpress.net/?blueprint-url=... and npx @wp-playground/cli server --blueprint=... (SKILL.md).
Boundary markers: None. The agent is encouraged to fetch and apply these configurations directly.
Capability inventory: The skill provides powerful execution steps including runPHP (arbitrary PHP execution), wp-cli (WordPress command execution), and writeFile (filesystem modification).
Sanitization: None. The skill executes the steps defined in the blueprint without validation or sandboxing within the host environment context.
Dynamic Execution (HIGH): The blueprint format explicitly supports code execution steps.
Evidence: The runPHP step (found in blueprints/base.json and documented in SKILL.md) allows raw PHP code to be executed. In an agentic context, an attacker providing a malicious blueprint could execute code that attempts to escape the WebAssembly sandbox or consume host resources.
External Downloads & RCE (MEDIUM): The skill instructions rely heavily on npx @wp-playground/cli.
Evidence: npx downloads and executes the latest version of the package from the npm registry at runtime. While @wp-playground/cli is the official package, it is not within the defined 'Trusted Sources' scope, representing a runtime code execution risk if the package or its dependencies are compromised.
Command Execution (MEDIUM): The skill requests the Bash tool and provides commands for mounting local directories into the playground.
Evidence: Use of --mount=/local/path:/var/www/... could be used to expose sensitive local files to the WordPress environment if the agent is tricked into mounting high-privilege paths.

wp-playground