The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is highly vulnerable because it interacts with untrusted external content and possesses extensive write/execute capabilities.
Ingestion points: Website content via mcp__playwright__browser_snapshot and console logs via mcp__playwright__browser_console_messages (in SKILL.md); network request data via mcp__playwright__browser_network_requests (in references/playwright-patterns.md).
Boundary markers: Absent. There are no instructions or delimiters to prevent the agent from following instructions found within the processed external data.
Capability inventory: High-privilege tools including mcp__playwright__browser_type, mcp__playwright__browser_click, and mcp__playwright__browser_evaluate (in SKILL.md); mcp__playwright__browser_file_upload (in references/playwright-patterns.md).
Sanitization: Absent. The agent processes raw content from the browser context without validation.
Risk: A malicious website could inject commands into the agent's context (e.g., via hidden DOM elements or log messages) to trigger unauthorized actions like credential exfiltration or fraudulent form submissions.
[Data Exposure & Exfiltration] (HIGH): The skill explicitly demonstrates patterns for accessing sensitive session data.
Evidence: references/playwright-patterns.md provides an example of using mcp__playwright__browser_evaluate to execute localStorage.getItem('userToken').
Risk: This provides a direct mechanism for the agent to access and potentially leak authentication tokens if compromised by an indirect injection attack.
[Command Execution] (HIGH): Extensive use of arbitrary JavaScript execution.
Evidence: Frequent use of mcp__playwright__browser_evaluate in both SKILL.md and references/playwright-patterns.md to run custom scripts.
Risk: This capability allows the agent to bypass standard tool constraints and perform any action permitted within the browser session, including data manipulation and cross-site requests.

visual-debugger