The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The script scripts/with_server.py uses subprocess.Popen(server['cmd'], shell=True) to execute server commands. Because shell=True is used with strings provided as CLI arguments, it allows for shell metacharacter injection (e.g., appending ; command). It also executes the trailing automation command via subprocess.run().
PROMPT_INJECTION (LOW): The SKILL.md file contains a directive telling the agent: 'DO NOT read the source until you try running the script first'. This is a suspicious instruction that discourages the AI from performing security verification on executable code before it is run.
INDIRECT_PROMPT_INJECTION (LOW): Mandatory Evidence Chain: 1. Ingestion point: page.content() and page.locator().all() in SKILL.md. 2. Boundary markers: None specified. 3. Capability inventory: Arbitrary shell execution via with_server.py and filesystem access via page.screenshot(path='/tmp/inspect.png'). 4. Sanitization: None. The skill processes untrusted web content which could contain instructions targeting the script generation logic.
DYNAMIC_EXECUTION (MEDIUM): The skill is designed around the agent dynamically writing and executing Python Playwright scripts at runtime based on the state of a local or remote web application.

webapp-testing