The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/eval.js implements dynamic execution by passing arbitrary strings from command-line arguments directly to Playwright's page.evaluate() method. This allows the agent to execute any JavaScript within the browser context, which could be abused if the agent is influenced by malicious external content.
[EXTERNAL_DOWNLOADS]: The scripts/install.sh file executes npx playwright install, which downloads browser binaries for Chromium, Firefox, and WebKit from the official Playwright project. While these are from a well-known service, they involve downloading and installing external executable binaries.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process untrusted data from the open web.
Ingestion points: Web page content accessed via scripts/nav.js, scripts/start.js, and scripts/screenshot.js.
Boundary markers: None; the scripts do not use delimiters or instructions to ignore embedded commands in the pages being browsed.
Capability inventory: The skill can execute arbitrary JavaScript (eval.js), write to the filesystem (screenshots and logs), and monitor network traffic.
Sanitization: There is no evidence of sanitization or filtering of the HTML or JavaScript content retrieved from remote URLs before it is processed or logged.
[DATA_EXFILTRATION]: The skill records detailed network activity, console logs, and page errors to the local filesystem at ~/.cache/agent-web/logs/. These logs, which may contain sensitive session data or API responses from visited sites, are accessible via scripts/logs-tail.js and scripts/net-summary.js. Additionally, scripts/screenshot.js saves page captures to the system temporary directory without automatic cleanup.

play-browser