The Agent Skills Directory

[DATA_EXFILTRATION]: The skill includes a tool capable of uploading local files to remote websites.
Evidence: The browser_file_upload tool in SKILL.md accepts a list of local file paths to be uploaded through the browser session.
Risk: An agent could be manipulated via malicious web content to upload sensitive local files (e.g., .env, SSH keys) to an attacker-controlled domain.
[PROMPT_INJECTION]: The skill interacts with external web content, creating an attack surface for indirect prompt injection.
Ingestion points: Content is ingested from the browser using browser_snapshot, browser_inspect_html, and browser_console_messages (SKILL.md).
Boundary markers: There are no explicit instructions or delimiters provided to the agent to treat retrieved web content as untrusted.
Capability inventory: The skill has high-impact capabilities including file uploading and arbitrary code execution in the browser.
Sanitization: No sanitization is performed on the data retrieved from the browser before it is processed by the agent.
[EXTERNAL_DOWNLOADS]: The installation process involves downloading external dependencies and browser binaries.
Evidence: scripts/install.js runs npm install and npx playwright install chromium.
Context: These are standard operations for setting up a Playwright-based environment and use well-known, trusted sources.
[COMMAND_EXECUTION]: The skill allows the execution of arbitrary JavaScript within the browser context.
Evidence: The browser_evaluate tool (SKILL.md) enables the execution of user-supplied JavaScript functions on the active page.
Risk: This could be used to interact with sensitive session data or perform unauthorized actions on behalf of the user on specific websites.

fast-playwright