The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The run-code command allows for the execution of arbitrary Playwright and JavaScript code strings within the Node.js environment. This creates a significant risk of remote code execution if the agent interpolates untrusted data from the user or a website into these commands. Evidence found in references/running-code.md.
[CREDENTIALS_UNSAFE] (HIGH): Commands such as cookie-list, cookie-get, localstorage-get, and state-save provide direct access to sensitive session information, authentication tokens, and cookies, which could be used to hijack user accounts. Evidence found in references/storage-state.md.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. 1. Ingestion: Untrusted data enters the agent context via snapshots and evaluations of web page content. 2. Boundaries: There are no boundary markers or instructions to ignore embedded commands. 3. Capabilities: The skill has high-privilege interaction capabilities including arbitrary code execution (run-code), file uploads, and session manipulation. 4. Sanitization: No evidence of sanitization or validation of the ingested web content is provided. Evidence found in SKILL.md and references/request-mocking.md.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on the Bash(playwright-cli:*) toolset, allowing the agent to execute a wide variety of subcommands that interact with the host system's browser processes and file system. Evidence found in SKILL.md.
[DATA_EXFILTRATION] (MEDIUM): Features like screenshot, pdf, and state-save can be used to capture and export sensitive information from web applications or the browser's persistent state to the local file system. Evidence found in SKILL.md.
[EXTERNAL_DOWNLOADS] (LOW): The install-browser command facilitates the download of browser binaries. While standard for Playwright's operation, it involves fetching executable code from remote sources. Evidence found in SKILL.md.

playwright-cli