The Agent Skills Directory

[COMMAND_EXECUTION]: The runCode (tools/runCode.js) and evaluate (tools/evaluate.js) tools execute arbitrary JavaScript strings provided in the parameters. While evaluate runs in the browser context, runCode uses the Node.js vm module to execute code on the host, which can be abused if the agent is manipulated into running malicious logic.
[DATA_EXFILTRATION]: The outputFile function in lib/config.js, used by lib/response.js, allows for writing files to arbitrary absolute paths on the host system if a suggestedFilename is provided as an absolute path. This vulnerability affects tools such as pdf, screenshot, video, and storageState, enabling an attacker to overwrite system files or save sensitive data to accessible locations.
[DATA_EXFILTRATION]: The fileUpload tool in tools/files.js permits the agent to select and upload arbitrary files from the local filesystem to a web page, which can be exploited to exfiltrate sensitive local documents or configuration files.
[CREDENTIALS_UNSAFE]: The skill provides tools for managing cookies (tools/cookies.js) and web storage (tools/webstorage.js, tools/storage.js). These allow listing, retrieving, and exporting full session states, which often include sensitive authentication tokens and session identifiers.
[EXTERNAL_DOWNLOADS]: The install tool in tools/install.js triggers the download and installation of browser binaries from external registries using the Playwright CLI.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It ingest untrusted data from web pages (via snapshot, consoleMessages, and networkRequests) and possesses powerful capabilities—such as arbitrary file writes, cookie manipulation, and script execution—that can be triggered by instructions hidden in a malicious website's metadata or accessibility tree.

playwright