The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill includes a run-code command that allows the execution of arbitrary JavaScript code strings within the browser context. This provides a powerful vector for code execution if the agent is subverted.
[COMMAND_EXECUTION]: The skill relies on the Bash tool to execute npx commands, which dynamically downloads and runs the @playwright/cli package. This allows the agent to execute a wide range of browser-related system commands.
[DATA_EXFILTRATION]: The skill provides commands such as state-save, cookie-get, and localstorage-get to interact with sensitive browser data. This information, which may include authentication tokens and session cookies, is saved to local files like auth.json, creating a risk of credential exposure or exfiltration if these files are accessed by unauthorized entities.
[CREDENTIALS_UNSAFE]: The skill explicitly instructs and facilitates the storage of authentication state (cookies and local storage) in auth.json files. While it provides warnings against committing these files, the mechanism itself creates a high-value target for credential theft.
[PROMPT_INJECTION]: The skill's core functionality involves navigating to external websites and extracting their content using snapshot and eval. This creates a vulnerability to indirect prompt injection. 1. Ingestion points: Untrusted data enters the agent context via the goto, snapshot, and eval commands when interacting with external web pages. 2. Boundary markers: The instructions do not define any boundary markers or delimiters to isolate content retrieved from web pages from the agent's system instructions. 3. Capability inventory: The skill possesses extensive capabilities, including executing shell commands via Bash and arbitrary JavaScript via the run-code command. 4. Sanitization: There is no evidence of sanitization, filtering, or validation performed on the data extracted from external websites before it is processed by the agent.

playwright-cli