The Agent Skills Directory

[PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks as it ingests and processes untrusted data from the project codebase to influence its generation of test workflows and instructions for sub-agents.
Ingestion points: Project source files are accessed extensively using Read, Grep, and Glob tools across Phase 2 (exploration) and Phase 3 (journey discovery).
Boundary markers: The prompts provided to the 'Explore' sub-agents lack explicit delimiters or instructions to ignore potential commands embedded within the analyzed source code.
Capability inventory: The skill has significant capabilities, including network access and browser interaction via playwright-cli, the ability to spawn further agents via the Task tool, and file system write access for saving workflow documentation.
Sanitization: There is no evidence of sanitization or filtering of the content read from the codebase before it is incorporated into prompts or presented to the user.
Mitigation: The risk is significantly reduced by the skill's design, which requires explicit user confirmation via AskUserQuestion at multiple stages: confirming the journey list, confirming the action sequence, and approving each individual verification step and screenshot.
[DATA_EXFILTRATION]: The skill accesses sensitive authentication state (cookies and localStorage) stored in .playwright/profiles.json. While this is necessary for its stated purpose of testing authenticated journeys, this sensitive data is loaded into a browser instance that navigates to a user-provided URL. This behavior is documented and requires user interaction to provide the URL and select the profile, aligning with expected tool functionality.

mobile-workflow-generator