The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill interacts with external/local web applications, which serves as an ingestion point for untrusted data that could contain malicious instructions.
Ingestion points: Untrusted content enters the context via page.content(), page.screenshot(), and page.locator().all() as shown in SKILL.md.
Boundary markers: The skill lacks explicit delimiters or instructions for the agent to ignore instructions embedded within the HTML content.
Capability inventory: The agent has access to Bash, Write, and Edit tools, which could be misused if an injection is successful.
Sanitization: No sanitization or validation of page content is specified before processing.
Command Execution (SAFE): The Bash tool is used for legitimate testing activities such as running pytest and starting local development servers.
External Downloads (LOW): Usage of Playwright implies the download of browser binaries; this is downgraded to LOW as Microsoft/Playwright is considered a trusted source.

webapp-testing