The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill generates test plans based on git diffs and commit context, which are then passed to an autonomous agent for execution. Malicious instructions placed in code comments or commit messages in a PR could influence the agent's actions during the test run.\n
Ingestion points: Git diff data retrieved in SKILL.md and scripts/diff-scan.sh, processed in references/test-plan.md.\n
Boundary markers: Absent; the prompt template in references/test-plan.md does not include specific delimiters or instructions to ignore embedded directives in the diff data.\n
Capability inventory: The sub-agent can perform browser automation (clicking, form submission, JavaScript evaluation) and the main agent can execute shell commands and write files.\n
Sanitization: Absent; diff snippets are interpolated directly into the test plan prompt.\n- [DYNAMIC_EXECUTION]: The session recording feature in references/rrweb-recording.md uses eval to inject the rrweb library into the browser context at runtime, facilitating dynamic loading and execution of external scripts.\n- [COMMAND_EXECUTION]: The skill frequently uses the Bash tool to run internal scripts (diff-scan.sh, route-map.sh, fingerprint.sh), manage git state, and invoke the agent-browser CLI tool.\n- [EXTERNAL_DOWNLOADS]: The skill fetches the rrweb JavaScript library from cdn.jsdelivr.net. While this is a well-known and generally trusted service, loading remote scripts into an execution context at runtime represents a dependency and code-integrity risk.\n- [DATA_EXPOSURE_AND_EXFILTRATION]: The rrweb recording capability captures DOM mutations and events for debugging. If sensitive information like PII or authentication tokens appears in the browser UI during a test, it may be recorded and stored in the .expect/recordings/ directory.

expect