The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The helper script scripts/with_server.py uses subprocess.Popen with shell=True to launch server commands. This allows for arbitrary shell command execution. This risk is downgraded to MEDIUM as it is the primary intended mechanism for the skill to function, but it remains dangerous if the input commands are influenced by external data.\n- PROMPT_INJECTION (LOW): The SKILL.md file includes an instruction for the agent to 'DO NOT read the source' of scripts before execution. This practice reduces the visibility of risky implementations like shell=True and is considered a poor security practice.\n- Indirect Prompt Injection (LOW): The skill is designed to analyze web content and console logs using Playwright (page.content(), page.on('console', ...)). This is a classic indirect prompt injection surface. Evidence Chain: 1. Ingestion points: examples/element_discovery.py (page content) and examples/console_logging.py (console logs). 2. Boundary markers: None present. 3. Capability inventory: Arbitrary shell execution via scripts/with_server.py using subprocess.Popen. 4. Sanitization: No sanitization or validation of external content is performed before processing.

webapp-testing