The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it fetches and processes data from arbitrary external websites to guide its code generation process. A malicious website could contain hidden instructions designed to trick the agent into generating harmful userscripts.
Ingestion points: The skill uses browser_snapshot, browser_evaluate, and browser_navigate to ingest untrusted DOM data from any URL provided by the user or discovered during execution (SKILL.md).
Boundary markers: The instructions lack delimiters or specific 'ignore' directives to prevent the agent from following instructions embedded within the fetched website content.
Capability inventory: The skill utilizes the present_files capability to write and provide executable .user.js files to the user (SKILL.md).
Sanitization: There is no evidence of sanitization or validation of the website content before it is used as context for the LLM's reasoning.
[COMMAND_EXECUTION]: The skill provides instructions for the user to execute shell commands such as claude mcp add and npx playwright install to set up the Playwright MCP environment (SKILL.md).
[EXTERNAL_DOWNLOADS]: The skill recommends the installation of the @playwright/mcp package from the npm registry to enhance its capabilities. While this targets a well-known tool, it involves downloading external code to the user's environment.

tampermonkey-script