The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it fetches 'Acceptance Criteria' from external GitHub issues (via gh issue view) or local markdown files. This content is used to generate browser automation plans without any boundary markers or instructions to ignore embedded malicious commands.\n
Ingestion points: references/input-resolution.md (GitHub issue body, local file contents).\n
Boundary markers: Absent in the ingestion and planning phases.\n
Capability inventory: Browser control through /playwriter, local file system writes, and shell execution.\n
Sanitization: Absent; the skill relies on the agent to interpret potentially malicious text as simple requirements.\n- [COMMAND_EXECUTION]: The skill runs a local bash script, scripts/make-slug.sh, passing a 'topic' or 'slug' derived from external input like issue titles. This pattern of executing shell commands with arguments derived from untrusted sources poses a risk of command injection depending on how the underlying agent handles tool execution.\n- [DATA_EXFILTRATION]: The skill collects and saves potentially sensitive information—including browser console logs, DOM snapshots, and network data—into local report files. If an attacker uses indirect prompt injection to direct the agent to sensitive internal pages, this data could be captured in the reports.\n- [EXTERNAL_DOWNLOADS]: The skill uses the gh tool to retrieve data from GitHub. This is a legitimate part of the skill's functionality and interacts with a well-known service.

ito-browser-verify