The Agent Skills Directory

[PROMPT_INJECTION]: The skill is designed to ingest and process untrusted content from arbitrary websites, creating a surface for Indirect Prompt Injection where malicious instructions embedded in a webpage could influence the agent's behavior.
Ingestion points: Web content is fetched and returned to the agent context in templates/basic-scrape.ts, templates/stealth-mode.ts, and SKILL.md using page.goto(), page.textContent(), and page.$$eval().
Boundary markers: No explicit delimiters or system-level instructions to ignore embedded commands within the scraped data are present in the code templates.
Capability inventory: The skill uses scripts that can launch local browser processes (browser.launch), execute JavaScript in the browser (page.evaluate), write files to the local disk (fs.writeFile), and perform network requests.
Sanitization: The scraped content is processed and returned without sanitization or filtering for potentially malicious instructions.
[DATA_EXFILTRATION]: Documentation in references/common-blocks.md includes implementation patterns for sending site keys and target URLs to third-party solving services such as 2captcha.com, which involves transmitting data from the agent's environment to an external provider.
[CREDENTIALS_UNSAFE]: The templates/authenticated-session.ts file implements a session persistence pattern that saves raw session cookies to a local session.json file. If the local environment is shared or insecure, these cookies could be accessed by unauthorized users to hijack sessions.
[COMMAND_EXECUTION]: The skill includes a shell script scripts/install-browsers.sh which executes system commands (npx playwright install, playwright install) to download and install browser binaries and their system dependencies.

playwright-local