playwright-browser

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples and workflows that embed plaintext secrets (e.g., browser_fill with "password123", browser_set_cookies with "abc123", and instructions to fill login forms), which requires the LLM to output secret values verbatim in tool-call arguments, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly tells the agent to navigate to arbitrary public websites (e.g., browser_goto examples: news.ycombinator.com, baidu, github.com) and to extract/interpret page content (browser_get_text, browser_get_html, browser_evaluate) to summarize or drive further actions, which exposes the agent to untrusted third‑party content that could carry indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill exposes tools that modify host state—notably browser_set_system_time and clock-install/fast-forward/pause functions that change the machine's system time—so it instructs the agent to perform system-level changes that can affect the host.