The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/with_server.py uses subprocess.Popen(shell=True) to execute strings passed via the --server argument. This design allows for the execution of arbitrary shell commands, including shell features like command chaining (e.g., &&), pipe redirection, and environment variable expansion.
[PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its primary function of browsing and inspecting external web applications.
Ingestion points: The agent interacts with external sites via page.goto(url) and page.content() in the provided Playwright examples.
Boundary markers: The instructions and example scripts lack any boundary markers or "ignore instructions" warnings for processed web content.
Capability inventory: The skill includes the scripts/with_server.py utility which provides full shell execution capabilities.
Sanitization: There is no evidence of content sanitization, filtering, or validation of data retrieved from web pages before the agent acts upon it.
[METADATA_POISONING]: The SKILL.md file contains an instruction to the agent: "DO NOT read the source until you try running the script first... they exist to be called directly as black-box scripts." This instruction discourages the agent from auditing the behavior of the bundled scripts (which perform shell execution), potentially leading to unverified execution of dangerous commands.

webapp-testing