Playwright Browser Automation
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to detect local development servers and perform initial environment setup using npm.
- [REMOTE_CODE_EXECUTION]: Performs dynamic code generation and execution. It writes custom JavaScript automation scripts to the /tmp directory and executes them via Node.js. It also supports an inline execution mode where code logic is passed as a string argument to a wrapper script.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection because it navigates to and extracts data from arbitrary websites (via page.goto, page.locator().all(), and extractTableData). This untrusted data is processed by the agent and could contain malicious instructions.
- Ingestion points: External web content retrieved via Playwright.
- Boundary markers: None present to distinguish untrusted content.
- Capability inventory: Execution of Node.js scripts via subprocess, file system writes to /tmp, and unrestricted outbound network access through the browser.
- Sanitization: No sanitization of scraped web content is performed.
Audit Metadata