The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill navigates to external URLs and executes code within the page context to extract state.
Ingestion points: The web_game_playwright_client.js script navigates to a user-provided URL (--url) and calls window.render_game_to_text() and captures console errors.
Boundary markers: None. The script takes raw input from the web page's JavaScript environment.
Capability inventory: The script has file-system write access (fs.writeFileSync) and saves screenshots, game state, and console errors to the workspace. The agent is specifically instructed to 'Review console errors and fix' them and 'read progress.md', creating a feedback loop where an attacker-controlled web page can influence the agent's code modifications.
Sanitization: No sanitization is performed on the data returned from render_game_to_text or console logs before writing to disk.
External Downloads (LOW): The skill recommends installing @playwright/mcp and playwright. While these are powerful tools, the author 'openai' is within the [TRUST-SCOPE-RULE], downgrading the download risk itself to LOW.
Command Execution (MEDIUM): The skill relies on executing a Node.js script that controls a headless browser. While the script's logic is visible, the browser automation capability allows it to interact with any web-accessible content, which serves as a vector for the high-severity indirect injection findings.

develop-web-game