The Agent Skills Directory

[PROMPT_INJECTION]: The instructions explicitly direct the agent to treat helper scripts as 'black boxes' and avoid reading their source code to prevent 'context window pollution'. This is a defensive pattern that could be used to bypass security inspection of the skill's executable components.
[COMMAND_EXECUTION]: The skill relies on executing arbitrary shell commands via scripts/with_server.py to start local servers (e.g., npm run dev, python server.py). This allows the agent to spawn background processes with user-defined strings.
[DATA_EXFILTRATION]: The skill performs automated browser interactions, including capturing full-page screenshots saved to /tmp/inspect.png and extracting page content via page.content(). While intended for debugging, this provides a mechanism for accessing and potentially exfiltrating sensitive data rendered in the web application.
[REMOTE_CODE_EXECUTION]: The skill's primary workflow involves the dynamic creation and execution of Python automation scripts (your_automation.py) which are then executed in the local environment.
[PROMPT_INJECTION]: As the skill is designed to interact with and process content from web applications (via page.content() and page.locator()), it is inherently susceptible to indirect prompt injection where malicious instructions embedded in a target website could influence the agent's subsequent actions.

webapp-testing