agentation
Facilitates visual UI feedback for AI agents, enabling precise code targeting through structured annotations and seamless integration.
Install this skill
Security score
The agentation skill was audited on Mar 6, 2026 and we found 43 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 240 | "command": "curl -sf --connect-timeout 1 http://localhost:4747/pending 2>/dev/null | python3 -c \"import sys,json;d=json.load(sys.stdin);c=d['count'];exit(0)if c==0 else[print(f'\\n=== AGENTATION: {c} |
Curl to non-GitHub URL
| 308 | "command": "curl -sf --connect-timeout 1 http://localhost:4747/pending 2>/dev/null | python3 -c \"import sys,json;d=json.load(sys.stdin);c=d.get('count',0);[print(f'[agentation] {c} pending annotation |
Webhook reference - potential data exfiltration
| 3 | description: Visual UI annotation tool for AI agents. Drop the React toolbar into any app — humans click elements and leave feedback, agents receive structured CSS selectors, bounding boxes, and React |
Webhook reference - potential data exfiltration
| 168 | | `webhookUrl` | `string` | — | Webhook URL to receive annotation events | |
Webhook reference - potential data exfiltration
| 518 | ### Pattern 5: Webhook Integration |
Webhook reference - potential data exfiltration
| 521 | <Agentation webhookUrl="https://your-server.com/webhook" /> |
Webhook reference - potential data exfiltration
| 523 | # AGENTATION_WEBHOOK_URL=https://your-server.com/webhook |
Webhook reference - potential data exfiltration
| 608 | | `AGENTATION_WEBHOOK_URL` | Single webhook URL | — | |
Webhook reference - potential data exfiltration
| 609 | | `AGENTATION_WEBHOOKS` | Comma-separated webhook URLs | — | |
Access to hidden dotfiles in home directory
| 215 | **Option B — config file** (`~/.claude/claude_desktop_config.json` for global, or `.claude/mcp.json` for project-level): |
Access to hidden dotfiles in home directory
| 233 | Add to `.claude/settings.json` (project) or `~/.claude/settings.json` (global): |
Access to hidden dotfiles in home directory
| 249 | ### Codex CLI (`~/.codex/`) |
Access to hidden dotfiles in home directory
| 251 | Add to `~/.codex/config.toml`: |
Access to hidden dotfiles in home directory
| 271 | ### Gemini CLI (`~/.gemini/`) |
Access to hidden dotfiles in home directory
| 280 | **Option B — config file** (`~/.gemini/settings.json` for global, `.gemini/settings.json` for project): |
Access to hidden dotfiles in home directory
| 320 | ### OpenCode (`~/.config/opencode/`) |
Access to hidden dotfiles in home directory
| 322 | Add to `~/.config/opencode/opencode.json`: |
Access to hidden dotfiles in home directory
| 392 | mkdir -p ~/.claude |
Access to hidden dotfiles in home directory
| 393 | CFG=~/.claude/claude_desktop_config.json |
Access to hidden dotfiles in home directory
| 404 | mkdir -p ~/.codex |
Access to hidden dotfiles in home directory
| 405 | CFG=~/.codex/config.toml |
Access to hidden dotfiles in home directory
| 414 | mkdir -p ~/.gemini |
Access to hidden dotfiles in home directory
| 415 | CFG=~/.gemini/settings.json |
Access to hidden dotfiles in home directory
| 426 | mkdir -p ~/.config/opencode |
Access to hidden dotfiles in home directory
| 427 | CFG=~/.config/opencode/opencode.json |
Access to hidden dotfiles in home directory
| 612 | SQLite storage: `~/.agentation/store.db` |
Access to hidden dotfiles in home directory
| 634 | | **Claude Code** | `~/.claude/claude_desktop_config.json` | `mcpServers` | `hooks.UserPromptSubmit` in `settings.json` | |
Access to hidden dotfiles in home directory
| 635 | | **Codex CLI** | `~/.codex/config.toml` | `[[mcp_servers]]` (TOML) | `developer_instructions` + `notify` | |
Access to hidden dotfiles in home directory
| 636 | | **Gemini CLI** | `~/.gemini/settings.json` | `mcpServers` | `hooks.AfterAgent` in `settings.json` | |
Access to hidden dotfiles in home directory
| 637 | | **OpenCode** | `~/.config/opencode/opencode.json` | `mcp` (`type: "local"`) | Skills system (no hook needed) | |
Access to .env file
| 110 | {process.env.NODE_ENV === 'development' && <Agentation />} |
Access to .env file
| 127 | {process.env.NODE_ENV === 'development' && ( |
Access to .env file
| 146 | {process.env.NODE_ENV === 'development' && ( |
External URL reference
| 128 | <Agentation endpoint="http://localhost:4747" /> |
External URL reference
| 147 | <Agentation endpoint="http://localhost:4747" /> |
External URL reference
| 240 | "command": "curl -sf --connect-timeout 1 http://localhost:4747/pending 2>/dev/null | python3 -c \"import sys,json;d=json.load(sys.stdin);c=d['count'];exit(0)if c==0 else[print(f'\\n=== AGENTATION: {c} |
External URL reference
| 308 | "command": "curl -sf --connect-timeout 1 http://localhost:4747/pending 2>/dev/null | python3 -c \"import sys,json;d=json.load(sys.stdin);c=d.get('count',0);[print(f'[agentation] {c} pending annotation |
External URL reference
| 507 | agent-browser open http://localhost:3000 |
External URL reference
| 521 | <Agentation webhookUrl="https://your-server.com/webhook" /> |
External URL reference
| 523 | # AGENTATION_WEBHOOK_URL=https://your-server.com/webhook |
External URL reference
| 698 | # <Agentation endpoint="http://localhost:4747" /> |
External URL reference
| 766 | - [agentation npm](https://www.npmjs.com/package/agentation) |
External URL reference
| 767 | - [agentation-mcp npm](https://www.npmjs.com/package/agentation-mcp) |
Install this skill with one command
/learn @supercent-io/agentation