The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/with_server.py uses subprocess.Popen with shell=True to execute server start commands and subprocess.run to execute the main automation command. This allows for arbitrary shell command execution on the host environment.
[PROMPT_INJECTION]: The SKILL.md file includes instructions that advise the agent to 'DO NOT read the source until you try running the script first'. This instruction is a bypass pattern that discourages the agent from performing security inspections of the code it is about to execute.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to interact with web applications and capture their content (e.g., via page.content() or console logs). This creates an attack surface where untrusted data from a web page could attempt to inject instructions into the agent's context.
Ingestion points: page.content() and page.locator().all() in SKILL.md; msg.text in examples/console_logging.py.
Boundary markers: None identified in the provided examples.
Capability inventory: File system access (open()), screenshot capture, and arbitrary command execution via scripts/with_server.py.
Sanitization: No evidence of sanitization or filtering of captured web content before processing.

webapp-testing