The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill utilizes child_process.spawn and execSync across multiple scripts (install-dependencies.js, verify-installation.js) to execute npm and npx commands.
Evidence: spawn('npx', ['playwright', 'install', ...]) in scripts/install-dependencies.js and spawn('npm', ['install']) in scripts/verify-installation.js.
[EXTERNAL_DOWNLOADS] (MEDIUM): The installation process automatically triggers the download of the Chromium browser and system-level dependencies. While Playwright is a reputable source, automated binary execution in a skill environment is a high-risk pattern.
Evidence: npx playwright install chromium --with-deps is executed in the postinstall hook and scripts/install-dependencies.js.
[DATA_EXPOSURE] (LOW): The scripts/capture.js script allows the agent to open and screenshot any local file accessible to the process using the file:// protocol. This could be abused via indirect prompt injection to leak sensitive local files (e.g., config files or ssh keys) as images.
Evidence: const fileUrl = \file://${absoluteHtmlPath}`;followed byawait page.goto(fileUrl)inscripts/capture.js`.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests untrusted HTML data which is then rendered in a browser environment with sandbox-disabling flags (--no-sandbox).
Ingestion point: html-file-path argument in scripts/capture.js.
Boundary markers: None identified.
Capability inventory: Local file read, screenshot generation, and shell command execution (via other scripts in the package).
Sanitization: None; the script resolves absolute paths without validating if the target file is intended to be processed.

drawnote-skill