The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements a 'Universal Playwright Executor' in run.js that facilitates the execution of arbitrary JavaScript code provided via command-line arguments, stdin, or external files using the Node.js require() function.
[REMOTE_CODE_EXECUTION]: The core workflow described in SKILL.md involves the agent dynamically writing custom JavaScript automation scripts to /tmp and then executing them. This 'generate-and-execute' pattern is highly dangerous as the generated code may incorporate data from untrusted sources (like the websites being automated), leading to arbitrary code execution on the host machine.
[DATA_EXFILTRATION]: The browser automation capabilities allow for broad access to sensitive information, including local files (via file:// protocols), browser cookies, and session storage. This data can be easily exfiltrated to external endpoints during the automation process.
[COMMAND_EXECUTION]: The run.js script automatically executes shell commands (npm install and npx playwright install) if dependencies are not detected, which constitutes unsupervised command execution during the skill's initialization phase.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to process and act upon untrusted web content.
Ingestion points: Web page DOM content, text, and metadata retrieved through Playwright operations.
Boundary markers: Absent; there are no instructions to the agent to ignore or delimit instructions found within the content of the pages it automates.
Capability inventory: Arbitrary JavaScript execution via run.js, file system access (writing to /tmp), and network access through the automated browser.
Sanitization: Absent; the agent is encouraged to construct custom scripts based directly on the observed structure and content of the target websites.

playwright-skill