Skills
NYC
skills/aidotnet/moyucode/playwright/Gen Agent Trust Hub

playwright

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (LOW): The skill requires installing the playwright package and browser binaries via npm install and npx playwright install. Per [TRUST-SCOPE-RULE], this is downgraded to LOW as the source (Microsoft) is a trusted organization.
  • INDIRECT PROMPT INJECTION (HIGH): The skill is designed to navigate to and scrape arbitrary external URLs (page.goto(url)). This constitutes a significant attack surface where malicious instructions embedded in web pages could influence the agent's logic.
  • Ingestion points: page.goto(), page.locator().textContent() in SKILL.md.
  • Boundary markers: None present in the provided examples.
  • Capability inventory: File writing (page.screenshot, page.pdf), network requests (context.post), and arbitrary browser execution.
  • Sanitization: No evidence of sanitization for ingested web content before it is processed by the agent.
  • REMOTE_CODE_EXECUTION (MEDIUM): By design, Playwright executes remote JavaScript code from visited websites within a browser context. While sandboxed by the browser, it remains a mechanism for executing untrusted code.
  • DATA_EXFILTRATION (MEDIUM): The tool has the capability to extract data from pages and send it to external APIs via the request context, as shown in the API testing examples.
  • CREDENTIALS_UNSAFE (LOW): The code examples contain hardcoded dummy credentials such as password123 and token123. While these appear to be placeholders, they represent a poor security practice if copied literally into production environments.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 05:10 AM