The Agent Skills Directory

[COMMAND_EXECUTION]: The entry point in src/index.ts uses execSync to run npx playwright test with a user-provided scenario path. The path is wrapped in double quotes but not otherwise sanitized, allowing an attacker to break out of the string and execute arbitrary shell commands using standard shell operators (e.g., ;, &&, or backticks).
[REMOTE_CODE_EXECUTION]: The skill is designed to execute Playwright specification files (.spec.js). Because these files are executable JavaScript, any user capable of supplying a scenario path can execute arbitrary code on the system where the agent is running.
[CREDENTIALS_UNSAFE]: In src/lib.ts, the loadCredentials function reads JSON files from the sensitive path knowledge/personal/connections/. These files contain plaintext user IDs and passwords.
[DATA_EXFILTRATION]: The YAML scenario engine in src/lib.ts allows the login action to input managed credentials into forms on any URL specified by the goto action. A malicious scenario could direct the agent to an attacker-controlled website to harvest these credentials.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection.
Ingestion points: In src/lib.ts, the loop_approve function reads text directly from a web page using page.innerText('body').
Boundary markers: None present; the scraped content is added directly to the execution report.
Capability inventory: The skill has significant capabilities including file system access (safeReadFile), network operations (Playwright navigation), and shell execution (execSync).
Sanitization: There is no sanitization or filtering of the scraped web content before it is included in the report, allowing malicious instructions on a webpage to potentially influence the agent's subsequent reasoning steps.

browser-navigator