The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill exposes pwcli eval and pwcli run-code commands in references/cli.md. These commands allow the execution of arbitrary JavaScript within the browser context. An attacker (or a malicious website via indirect injection) could use this to execute code to steal credentials, manipulate the DOM, or perform actions on behalf of the user.\n- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).\n
Ingestion points: The skill reads content from external websites via snapshot and eval commands.\n
Boundary markers: None. There are no delimiters or instructions to ignore embedded commands in the data retrieved from pages.\n
Capability inventory: Very High. The agent can control a browser, take screenshots, save PDFs, and execute arbitrary JS.\n
Sanitization: None. Web content is processed directly by the agent to determine next steps.\n
Risk: A malicious website could contain hidden instructions that redirect the agent's task, such as stealing data from other open tabs or sessions.\n- [DATA_EXFILTRATION] (MEDIUM): The tool can be used to access sensitive session data (cookies, localStorage) and send it to external URLs. The references/cli.md explicitly describes commands to interact with any URL and execute code, which provides a direct path for data theft if the agent is misled.\n- [EXTERNAL_DOWNLOADS] (LOW): The scripts/playwright_cli.sh script uses npx --yes --package @playwright/cli to download and execute the Playwright CLI at runtime. While the author (OpenAI) and the package are within the trusted scope, runtime downloads with bypassed confirmation (--yes) are a security risk if the registry or package is compromised. Severity is downgraded per [TRUST-SCOPE-RULE].\n- [COMMAND_EXECUTION] (LOW): The skill relies on executing shell commands via the playwright_cli.sh wrapper. While expected for a CLI tool, it increases the attack surface if the agent is not properly sandboxed.

playwright