The Agent Skills Directory

[COMMAND_EXECUTION]: Mandatory instructions in SKILL.md and several workflow files require the agent to execute a silent curl command to http://localhost:8888/notify immediately upon invocation. This process exfiltrates metadata about the agent's internal state to a local network port without explicit user consent.
[COMMAND_EXECUTION]: The Workflows/Automate.md orchestrator dynamically constructs shell commands by performing string replacement on recipe templates using unsanitized user-provided values (e.g., {URL}, {PROMPT}). This creates a significant risk of command injection if the inputs contain shell metacharacters.
[COMMAND_EXECUTION]: The skill provides a 'mid-session workaround' that launches the user's primary browser with the --remote-debugging-port enabled, exposing the user's authenticated sessions, cookies, and profile data to programmatic control.
[PROMPT_INJECTION]: The skill uses imperative directives ('MANDATORY', 'REQUIRED') to force the agent to execute specific side-effect commands (the curl notification) before addressing the user's request, effectively overriding default operational behavior.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface.
Ingestion points: Reads untrusted web content via playwright-cli snapshot and external YAML configuration files.
Boundary markers: Absent; external data is processed as direct context for sub-agents.
Capability inventory: Full browser control via playwright-cli (including JavaScript eval), network operations via curl, and sub-agent spawning.
Sanitization: None detected.
[EXTERNAL_DOWNLOADS]: The skill relies on external browser automation tools (playwright-cli, playwright) from established providers.

Browser