The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/with_server.py executes arbitrary shell commands provided via the --server argument using subprocess.Popen with shell=True. This design allows the execution of complex shell chains (e.g., using && or cd) but lacks sanitization, enabling the execution of any command the agent supplies based on its task or ingested data.\n- [COMMAND_EXECUTION]: The script scripts/with_server.py further executes a user-specified command (provided as trailing positional arguments) using subprocess.run. This provides a direct wrapper for running any local binary or script with arbitrary parameters.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Example scripts like examples/element_discovery.py and examples/console_logging.py ingest untrusted data from external sources (web page HTML content and browser console logs). This data is returned to the agent's context to help identify UI selectors or debug behavior. Malicious instructions embedded in a tested web page could potentially manipulate the agent's logic to perform unintended actions using the available command execution tools.\n- [PROMPT_INJECTION]: The SKILL.md file contains instructions specifically directing the agent to "Use bundled scripts as black boxes" and "DO NOT read the source until you try running the script first." This pattern discourages the agent from inspecting the internal logic of scripts/with_server.py, which may prevent it from recognizing the risks associated with the underlying shell=True execution.

webapp-testing