The Agent Skills Directory

[COMMAND_EXECUTION]: The utility script scripts/with_server.py uses subprocess.Popen with shell=True to execute server commands provided via the --server CLI argument. This allows for the execution of arbitrary shell commands, which could be exploited if the inputs are influenced by malicious data.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted data from web applications.
Ingestion points: The example scripts examples/element_discovery.py and examples/console_logging.py extract text directly from the DOM and capture browser console logs into the agent's context.
Boundary markers: There are no instructions or delimiters defined to help the agent distinguish between its own system instructions and potentially malicious instructions embedded in the web pages being tested.
Capability inventory: The agent has access to powerful shell execution capabilities through the scripts/with_server.py script.
Sanitization: Content retrieved from external web pages via Playwright is not sanitized or filtered before being presented to the agent.
[COMMAND_EXECUTION]: The instructions in SKILL.md explicitly discourage the agent from reading the source code of the provided scripts, suggesting they be used as 'black boxes'. This reduces transparency and limits the agent's ability to verify the safety of the commands it is instructed to run.

webapp-testing