The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs various shell operations for environment verification, directory management, and version control, including git status, git add, git commit, and git revert to manage code fixes.
[COMMAND_EXECUTION]: Employs the agent-browser tool to execute dynamically generated JavaScript via shell heredocs, allowing complex interaction and data extraction from web pages.
[DATA_EXFILTRATION]: Accesses sensitive browser state, including cookies and localStorage data, via page.evaluate() calls, which brings this information into the agent's context.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from external web applications and has the capability to modify local source code. \n
Ingestion points: Untrusted data enters the agent context through page.snapshotForAI() and link text extraction in Phase 3 and 4 of SKILL.md.\n
Boundary markers: None identified; there are no instructions to the agent to treat page content as untrusted or to ignore instructions embedded within the target application's content.\n
Capability inventory: The skill has high-privilege capabilities including filesystem modification and code commits as described in the Fix Loop (Phase 8) of SKILL.md.\n
Sanitization: No sanitization of the content retrieved from the browser is performed before it is used to inform code modification decisions.
[CREDENTIALS_UNSAFE]: The skill's workflow involves handling user credentials, including passwords and 2FA tokens, during authentication phases. Although it includes rules to redact these in generated reports, the sensitive information is processed within the agent's active execution context.

vs-qa