The Agent Skills Directory

[SAFE]: The skill performs offline processing of local trace files and does not communicate with external servers. The generated JavaScript client uses standard Fetch API calls, which is consistent with its documented purpose of facilitating API integration.
[SAFE]: All scripts are implemented using only the Node.js standard library, avoiding supply chain risks associated with third-party package dependencies.
[SAFE]: The skill includes a robust redaction module (scripts/lib/redact.mjs) that automatically identifies and scrubs credentials (JWTs, tokens, passwords) and personally identifiable information (emails, phone numbers) from the generated output.
[SAFE]: User-controlled data extracted from browser traces is properly escaped using escHtml before being included in the generated HTML report, preventing potential Cross-Site Scripting (XSS) vulnerabilities.
[PROMPT_INJECTION]: The skill processes external data (browser trace logs) and has the capability to write files, which constitutes an indirect prompt injection surface. However, this is a standard risk for documentation tools and is mitigated by the skill's sanitization and redaction logic.
Ingestion points: Browser trace logs are ingested via scripts/load.mjs and scripts/infer.mjs from the .o11y/ directory.
Boundary markers: While explicit instruction-ignoring markers are absent, the skill treats captured content strictly as data for schema inference.
Capability inventory: The skill uses scripts/emit.mjs to write YAML, JSON, Markdown, and HTML files to the local file system.
Sanitization: The skill employs a dedicated redactor for secrets and applies HTML entity encoding to all content rendered in the visual report.

browser-to-api