The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it fetches and processes data from untrusted external URLs via Playwright. Malicious instructions hidden in page titles, metadata, or console logs could influence the agent's subsequent actions.
Ingestion points: scripts/playwright_runner.py (extracts page.title(), page.url, and console messages).
Boundary markers: None. External content is returned to the agent without delimiters or safety warnings.
Capability inventory: The skill allows access to Bash, Write, Edit, and Read tools.
Sanitization: No sanitization or filtering of the extracted web content is performed.
Server-Side Request Forgery / Internal Recon (MEDIUM): The playwright_runner.py script accepts arbitrary URLs. An attacker (or a malicious site via redirects) could force the agent to probe local services (e.g., http://localhost:8080) or internal network resources, potentially exposing sensitive metadata or service availability through the returned JSON results.
External Dependencies (LOW): The skill relies on the playwright package and requires the installation of browser binaries (playwright install chromium). While these are standard tools, they involve downloading and executing external code on the host system.
Dynamic JS Execution (LOW): The script uses page.evaluate() to run JavaScript within the browser context. While the current implementation uses hardcoded strings for performance metrics, this provides a surface for more complex browser-based attacks if modified.

webapp-testing