The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/with_server.py uses subprocess.Popen with shell=True to execute arbitrary command strings provided via the --server argument. It also executes a secondary command provided in the trailing arguments using subprocess.run. This design allows for arbitrary shell command execution on the host environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of untrusted data from web applications. Specifically:
Ingestion Points: Browser console logs are captured in examples/console_logging.py (msg.text), and DOM content (inner text of buttons, links, and inputs) is extracted in examples/element_discovery.py.
Boundary Markers: There are no markers or instructions provided to help the agent distinguish between its own instructions and the content retrieved from the web page.
Capability Inventory: The agent has access to arbitrary shell command execution through the scripts/with_server.py utility.
Sanitization: No sanitization or validation of the retrieved web content is performed before the agent processes it to "identify selectors" or "execute actions".
[PROMPT_INJECTION]: The SKILL.md file contains an instruction to "DO NOT read the source until you try running the script first". While framed as an optimization for the context window, this instruction functions as a concealment tactic that discourages the agent from verifying the implementation and safety of the scripts it is executing.
[EXTERNAL_DOWNLOADS]: The skill relies on the playwright framework, which requires the download and installation of browser binaries (Chromium, Firefox, and WebKit) during its setup phase.

webapp-testing