The Agent Skills Directory

[DYNAMIC_EXECUTION]: The scripts/run.js file implements a universal executor that takes Javascript code from files, inline arguments, or standard input and executes it. It creates a temporary file containing the code and uses the Node.js require() function to load and execute it at runtime. This allows for arbitrary code execution within the agent's environment.
[REMOTE_CODE_EXECUTION]: The package.json setup script and the installPlaywright function in scripts/run.js use npm install and npx playwright install to download and install external dependencies and browser binaries. While these target a well-known service (NPM), they represent the installation of external executable content.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to navigate to external websites and extract content such as DOM structures and text. This content is then processed by the agent. A malicious website could serve instructions designed to influence or override the agent's behavior.
Ingestion points: Page content, DOM text, and link targets extracted via Playwright locators and helpers.
Boundary markers: The SKILL.md file contains a security section explicitly instructing the agent to treat page content as untrusted data, not instructions.
Capability inventory: The skill can execute shell commands (npm run setup), write files to /tmp, perform network requests via Playwright, and execute arbitrary Javascript via scripts/run.js.
Sanitization: No automated sanitization of extracted web content is provided in the utility scripts; it relies on the agent following the provided instructions.
[DATA_EXFILTRATION]: The detectDevServers function in scripts/lib/helpers.js performs a port scan on localhost for common development ports. While restricted to loopback by default, this capability could be used for local service discovery or internal reconnaissance if the target parameters are manipulated.

playwright-skill