The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides several JavaScript snippets intended for execution in a browser's developer tools console. These snippets are designed to extract page metadata (title, tags, headings), audit image attributes, and check HTTP response headers. These operations are read-only and restricted to the browser context, posing no risk to the host system or local files.
[DATA_EXPOSURE]: One snippet uses the fetch API to retrieve headers from the current site's origin. This is a standard procedure for verifying security headers (like HSTS or X-Frame-Options) and does not involve exfiltrating sensitive data or accessing local credentials.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and summarize data from untrusted web pages. While a malicious page could theoretically embed instructions in its metadata (e.g., in a meta description or heading) to influence the agent's report, this is a known risk inherent to all web-browsing skills. The risk is considered low as the agent is specifically tasked with the extraction and validation of these fields as data points.

qa-testing