The Agent Skills Directory

Remote Code Execution (CRITICAL): The file run.js is designed to execute arbitrary JavaScript code. It takes raw input from process.argv or stdin, wraps it in a template (in wrapCodeIfNeeded), writes it to a local file (.temp-execution-...js), and then uses dynamic import() to execute it. This provides a direct and unconstrained path for executing arbitrary code on the host machine.
Command Execution (HIGH): The installPlaywright function in run.js utilizes execSync to run shell commands like npm install and npx playwright install. In conjunction with the RCE vulnerability, an attacker could manipulate the environment or execute malicious system commands.
Data Exfiltration (HIGH): Since the skill uses Playwright, it has full browser and network capabilities. An attacker exploiting the RCE vulnerability can use these capabilities to scrape local data, access internal network services (e.g., localhost:3000 mentioned in examples), or steal authentication tokens and exfiltrate them to a remote server.
Dynamic Execution (CRITICAL): The core functionality of the skill relies on generating and executing code at runtime. Specifically, the wrapCodeIfNeeded function constructs a string of executable JavaScript that is then saved and loaded. This is a classic 'sink' for malicious payloads and bypasses standard safety constraints.
Indirect Prompt Injection (HIGH): The skill's ingestion points (stdin and command-line arguments) often receive data derived from external, untrusted sources processed by an AI agent. There are no boundary markers or sanitization routines, making it trivial for an adversary to embed malicious code within a web page or file that the agent then passes to this skill.

playwright