The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/record-scenes.ts described in playwright-recording.md uses execSync to run ffmpeg with a command line constructed using the scene.id variable. This ID is part of the scenario JSON generated from user instructions. Without sanitization, a malicious prompt could inject arbitrary shell commands (e.g., by including characters like ; or ") into the execution context.
[DATA_EXFILTRATION]: The browser recording implementation in playwright-recording.md executes page.goto(action.url). Since action.url is derived from user input, an attacker can manipulate the agent into navigating to local system files using the file:// protocol or internal network endpoints. The resulting data would be recorded and stored in the video clips, facilitating data exfiltration.
[EXTERNAL_DOWNLOADS]: The skill instructions in README.md and SKILL.md rely on downloading and installing numerous external dependencies and browser binaries from public registries via npm, npx, and bunx (e.g., playwright, remotion, chromium).
[REMOTE_CODE_EXECUTION]: The execution workflow involves running remote packages via npx and bunx to handle video rendering and project initialization, which grants significant control over the local environment to external code providers.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its architecture. 1. Ingestion points: User-provided URLs and descriptions are directly used to generate a structured scenario.json as seen in SKILL.md. 2. Boundary markers: No explicit boundaries or instructions to ignore embedded commands are present in the scenario generation process. 3. Capability inventory: The skill possesses high-privilege capabilities including shell command execution (execSync) and file system/network access via Playwright. 4. Sanitization: There is no evidence of validation or escaping for the url, selector, or id fields before they are processed by sensitive system functions.

web-demo-video