playwright-cli
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): The 'playwright-cli run-code' command enables the execution of arbitrary JavaScript within the browser. When an agent visits a malicious website, the site can use indirect prompt injection to force the agent to execute code that steals session cookies, interacts with local network services, or accesses sensitive browser-based data.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill installs '@playwright/mcp' via npm. While the registry is standard, the package is not from a trusted organization. The documentation's claim of being a 'microsoft' repository is false (the official repo is 'microsoft/playwright', not 'microsoft/playwright-cli'), which is a deceptive metadata tactic.
- DATA_EXFILTRATION (HIGH): Features like 'network', 'console', and 'screenshot' provide broad surface area for data theft. Injected instructions can utilize these tools to capture sensitive user information and exfiltrate it via browser-based network requests.
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. Evidence: (1) Ingestion point: 'open ' allows untrusted web content into the agent's context. (2) Boundary markers: None are present to distinguish between agent instructions and webpage content. (3) Capability inventory: High-privilege actions including JS execution, typing, and network monitoring. (4) Sanitization: None is performed on the content retrieved from the browser.
Recommendations
- AI detected serious security threats
Audit Metadata