playwriter
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides an 'execute' tool and '-e' flag that allow an AI agent to run arbitrary JavaScript code within a browser context. This grants complete control over browser actions and DOM manipulation, which can be misused to perform actions on behalf of the user.
- [EXTERNAL_DOWNLOADS]: The installation instructions recommend using 'npx playwriter@latest' and 'npm install', which download and execute code from the public NPM registry at runtime. The package source ('remorses/playwriter') does not match the stated author ('akillness'), and the package is not from a trusted vendor or well-known service.
- [DATA_EXFILTRATION]: By connecting to a running browser instance, the skill grants the agent access to all active login sessions, cookies, and private user data. This creates a high risk of sensitive data being extracted from authenticated sites like Gmail, GitHub, or internal tools.
- [REMOTE_CODE_EXECUTION]: The 'playwriter serve' command and remote MCP configuration enable a remote host to control the local browser session. This functionality could be exploited to execute code on the user's system from a remote network source.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted web content (via accessibility snapshots and markdown extraction) and provides it to the agent without sanitization or boundary markers, while maintaining powerful browser-level execution capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata