The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The mcp.json configuration uses npx -y playwriter@latest, which downloads and executes code from the public npm registry without a pinned version. This exposes the system to supply chain attacks.
REMOTE_CODE_EXECUTION (HIGH): The execute tool allows for the execution of arbitrary JavaScript within the browser context. This provides a direct path for remote code execution if the agent is manipulated.
DATA_EXFILTRATION (MEDIUM): Tools such as screenshot and getCleanHTML can be used to extract sensitive data from the user's browser tabs, which could then be exfiltrated.
PROMPT_INJECTION (LOW): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points: Web content is ingested via getCleanHTML and accessibilitySnapshot. 2. Boundary markers: No delimiters or safety instructions are provided to separate data from commands. 3. Capability inventory: The skill can execute JS via Playwright, take screenshots, and access the network. 4. Sanitization: There is no evidence of input validation or content filtering before processing web data.

playwriter