The Agent Skills Directory

[COMMAND_EXECUTION]: The ScreenshotEndpoint.kt file implements a /captureScreenshot endpoint that takes a path parameter from the query string and uses it directly in File(outputPath).writeBytes(data.bytes). This allows an attacker to overwrite arbitrary files on the system with the PNG data of the screenshot, potentially leading to denial of service or configuration corruption.
[COMMAND_EXECUTION]: The core functionality of the skill involves exposing UI control operations (clicking, text input) over an HTTP server. When enabled, this allows for remote execution of application logic and manipulation of the user interface by any entity capable of reaching the server.
[DATA_EXFILTRATION]: The ComposeUiTestServerConfig.kt file defines the default host as 0.0.0.0. This configuration binds the Ktor server to all available network interfaces, exposing the unauthenticated UI control API and screenshot capture capabilities to the entire local network.
[EXTERNAL_DOWNLOADS]: The SKILL.md and README.md files provide instructions to download and install the agent skill from a remote repository (forketyfork/compose-ui-test-server) which is not an established or trusted vendor for the specified author 'JetBrains'.
[PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by allowing the agent to read and interact with UI elements.
Ingestion points: UI element text and tags are read into the agent context via onNodeWithText and onNodeWithTag in ClickEndpoints.kt and WaitEndpoints.kt.
Boundary markers: None. There are no instructions for the agent to distinguish between UI labels and potential instructions embedded in UI data.
Capability inventory: The skill provides capabilities to perform clicks, input text, and write files to disk.
Sanitization: None. Data extracted from the UI is used directly to drive agent behavior.

compose-ui-control