The Agent Skills Directory

[DATA_EXFILTRATION]: The skill is designed to read sensitive configuration and credentials from local environment files like .env.qa (e.g., SIGNING_SECRET). These credentials are then transmitted in network requests via Bash or WebFetch to endpoints defined in a test plan. While this is standard for automated testing, it creates a potential path for credential exposure if the target endpoints or the test plan itself are malicious.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform complex operations such as generating HMAC-SHA256 signatures using openssl. Although this is a functional requirement for its role as a QA tool, providing an agent with shell access to execute system commands remains a high-privilege capability that could be abused if the agent's logic is subverted.
[EXTERNAL_DOWNLOADS]: The skill interacts extensively with external network resources through WebFetch and browser automation tools (mcp__playwright) to perform API testing and verify application states.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface due to the way it handles external data.
Ingestion points: It ingests data from external API responses via WebFetch and Playwright tools, as well as local configuration files like .qa/test-plan.md.
Boundary markers: Absent. The instructions do not specify delimiters or provide guidance for the agent to ignore potentially malicious instructions embedded within the API responses it tests.
Capability inventory: The agent has access to highly capable tools including Bash for command execution, WebFetch for network operations, and Read for file system access.
Sanitization: Absent. There is no evidence of logic intended to sanitize or validate the content of external API responses before they are processed by the agent's logic.

qa-chaos-monkey