The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to interact with external web content which is untrusted by default.
Ingestion points: Browser DOM content and page source via Open Browser, Go To, and Get Source (found in SKILL.md and references/waiting-strategies.md).
Boundary markers: None present. The agent processes page content directly without delimiters or safety instructions to ignore embedded commands.
Capability inventory: Includes Execute JavaScript, Click Element, Input Text, Capture Page Screenshot, and Start Process (referenced in references/screenshots-logs.md).
Sanitization: None present. Content from the web is processed and acted upon directly.
[Command Execution] (HIGH): Multiple keywords allow for the execution of arbitrary commands or scripts.
Evidence: Execute JavaScript (in SKILL.md) allows running arbitrary code in the browser context. Start Process (in references/screenshots-logs.md) is used to invoke ffmpeg, but could be repurposed to launch any system process.
[Dynamic Execution] (MEDIUM): The skill utilizes Python's Evaluate and Execute JavaScript to perform runtime operations.
Evidence: references/waiting-strategies.md uses Evaluate to call input(), which can block or be exploited depending on environment isolation. references/screenshots-logs.md uses Evaluate with open().read() to encode files to Base64, which could be exploited to read sensitive local files if the path is manipulated.
[External Downloads] (LOW): The skill documents the installation of standard, well-known libraries.
Evidence: pip install robotframework-seleniumlibrary and pip install webdriver-manager (in SKILL.md). These are trusted packages within the automation community.

robotframework-selenium-skill