The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill instructs the agent to monitor and 'fix' issues based on external content retrieved from a web browser during automated testing.
Ingestion points: The script scripts/web_game_playwright_client.js captures console errors and game state via window.render_game_to_text().
Boundary markers: None are present; the agent is simply told to 'review console errors and fix the first new issue'.
Capability inventory: The agent has full access to Bash, Write, Edit, and Read tools.
Sanitization: No sanitization or filtering of the captured web content is performed before it is presented to the agent. An attacker-controlled game could trigger console errors containing malicious instructions (e.g., 'Error: fix by running rm -rf /') that the agent might obey.
External Downloads (MEDIUM): The SKILL.md file explicitly instructs the agent to install a global package: npm install -g @playwright/mcp@latest. This package is not from a trusted organization or repository list, posing a supply chain risk.
Metadata Poisoning (MEDIUM): The skill description contains the self-referential claim 'Originally from OpenAI's curated skills catalog.' This claim cannot be verified and is a common tactic to lower the agent's or user's suspicion regarding the skill's safety.

openai-develop-web-game