The Agent Skills Directory

[Prompt Injection] (HIGH): The skill contains self-referential instructions in the code review checklist claiming 'Zero critical security issues verified' and 'No high-priority vulnerabilities found'. This is a deceptive attempt to influence the agent's safety judgment and bypass security auditing protocols.
[Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data from web URLs and local code, which is then processed using high-privilege tools.
Ingestion points: External URLs via the playwright_runner.py script and local codebase analysis using Glob and Grep.
Boundary markers: Absent. There are no delimiters or instructions provided to the agent to isolate or ignore embedded instructions within the data being tested or reviewed.
Capability inventory: Full access to Bash, Write, Edit, and python execution.
Sanitization: Absent. There is no evidence of input validation or content filtering, allowing potentially malicious instructions in a web page or code file to trigger arbitrary command execution via the Bash tool.
[Command Execution] (MEDIUM): The skill documentation encourages the use of the Bash tool for running Python scripts on arbitrary URLs. Without strict input sanitization, this provides a direct path for command injection or remote execution if the URL or page content is crafted to exploit shell parsing.
[External Downloads] (LOW): The skill requires the installation of the playwright package and its browser binaries. While playwright is a trusted source, installing unversioned dependencies at runtime via an agent skill is a best-practice violation that could lead to supply chain risks.

webapp-testing