The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (CRITICAL): The main function in run.js reads input from process.argv or process.stdin, saves it to a temporary file (.temp-execution-...js), and executes it using require(). This is a direct vector for arbitrary code execution.
[COMMAND_EXECUTION] (HIGH): The installPlaywright function uses child_process.execSync to run npm install and npx playwright install, which executes shell commands with inherited permissions.
[EXTERNAL_DOWNLOADS] (LOW): The skill automatically downloads the playwright npm package and browser binaries. While these are from a standard source, the automated installation and execution of external binaries is a risk.
[INDIRECT_PROMPT_INJECTION] (HIGH): \n 1. Ingestion points: Untrusted data enters the script via CLI arguments and standard input in the getCodeToExecute function. \n 2. Boundary markers: No boundary markers or 'ignore' instructions are used to sanitize or delimit the code being executed. \n 3. Capability inventory: The script has full access to the file system (fs.writeFileSync, fs.unlinkSync), shell execution (execSync), and dynamic JavaScript execution (require). \n 4. Sanitization: There is no validation or sanitization of the input before it is written to a file and executed.
[DYNAMIC_EXECUTION] (HIGH): The script dynamically generates and wraps code in an async IIFE template before execution. It also attempts to require a local module ./lib/helpers which is not provided in the skill manifest, suggesting potential for side-loading or missing file dependencies.

Playwright Browser Automation