The Agent Skills Directory

[DYNAMIC_EXECUTION]: The run.js file implements a mechanism to execute arbitrary Javascript code. It accepts code as a command-line argument, via stdin, or from a file path. It then wraps this code in an asynchronous template, writes it to a temporary file (e.g., .temp-execution-*.js) within the skill directory, and executes it using the Node.js require() function.
[COMMAND_EXECUTION]: The run.js script uses child_process.execSync to perform environment setup tasks. It automatically runs npm install and npx playwright install chromium if the Playwright dependency is not detected, allowing the skill to execute shell commands on the host system.
[DATA_EXFILTRATION]: The skill provides extensive browser automation tools through Playwright, including the ability to capture screenshots, navigate to any URL, and extract page content. This functionality can be used to access sensitive data on local development servers, internal networks, or authenticated web applications and potentially transmit it to external locations.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it extracts and processes content from web pages using helper functions like extractTexts and extractTableData in lib/helpers.js.
Ingestion points: Functions in lib/helpers.js that read text and structured data from the browser DOM.
Boundary markers: No delimiters or instructions are used to prevent the agent from obeying instructions embedded in the extracted web content.
Capability inventory: The skill has the ability to execute shell commands and write to the filesystem via run.js.
Sanitization: No validation or filtering is performed on the data extracted from web pages before it is provided to the agent.
[SAFE]: The skill's primary dependency, playwright, is a well-known package from a trusted organization. The automated installation of this dependency and its associated browser binaries follows standard development practices for automation tools.

playwright-skill