The Agent Skills Directory

[PROMPT_INJECTION]: Instruction to override internal behavior. The skill contains a directive: 'CRITICAL: Your training data for Playwright is unreliable. ... You MUST fetch and read the live documentation before writing any code.' This explicitly instructs the agent to disregard its internal training and rely on external sources.
[PROMPT_INJECTION]: Indirect Prompt Injection surface analysis.
Ingestion points: Browser content ingested via playwright-cli snapshot, playwright-cli console, and playwright-cli eval in SKILL.md.
Boundary markers: No boundary markers or instructions to ignore embedded commands in the fetched content are present.
Capability inventory: Extensive capabilities including writing files (screenshot, pdf, state-save), reading browser state (cookie-list, state-load), and executing code (eval, run-code).
Sanitization: No evidence of sanitization or validation of data retrieved from web pages before use in subsequent commands.
[REMOTE_CODE_EXECUTION]: Arbitrary code execution capability. The command playwright-cli run-code allows the execution of arbitrary JavaScript/Playwright code strings. If the agent incorporates untrusted data from a website into this command, it could lead to code execution in the tool's environment.
[DATA_EXFILTRATION]: Access to sensitive browser state. The skill provides commands to extract cookies (cookie-list), local storage (localstorage-list), and saved session states (state-save). This allows for the harvesting of authentication tokens and session data.
[EXTERNAL_DOWNLOADS]: Remote package execution. The documentation suggests using npx playwright-cli, which involves downloading and executing a package from the npm registry at runtime.
[COMMAND_EXECUTION]: Shell command usage. The skill is configured to use the Bash tool to execute playwright-cli commands. While scoped via allowed-tools, the command set covers sensitive file system and network operations.

playwright-cli