The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. \n
Ingestion points: Data from untrusted external websites is ingested via playwright_navigate and playwright_extract_content. \n
Boundary markers: No specific delimiters or instructions are provided to the agent to distinguish between user commands and content found on the web. \n
Capability inventory: High-impact tools such as playwright_click, playwright_fill, and playwright_evaluate could be triggered or manipulated by malicious website content. \n
Sanitization: There is no documentation of sanitization or filtering of content retrieved from the browser before it is processed by the AI. \n- [COMMAND_EXECUTION]: The tool playwright_evaluate enables the execution of arbitrary JavaScript within the browser context. This allows for manipulation of page state and access to all data present in the browser's Document Object Model (DOM). \n- [DATA_EXFILTRATION]: Tools like playwright_screenshot and playwright_extract_content allow for the extraction of sensitive information from any URL accessible to the browser, which could include internal network resources if the execution environment is not isolated. \n- [EXTERNAL_DOWNLOADS]: The skill references the official Microsoft Playwright MCP server repository on GitHub as the source for its automation capabilities.

browser-automation