playwriter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed sensitive tokens directly in CLI commands and MCP config (e.g., --token my-secret, PLAYWRITER_TOKEN in JSON), which would require the agent to include secret values verbatim in generated commands/configs — a high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The links point to a third‑party GitHub repo, an npm package invoked via npx, and a Chrome Web Store extension — not obviously malicious but potentially risky because npx executes unreviewed code and extensions can have powerful privileges, so you should verify the author, package contents, and extension permissions before installing.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill exposes high-risk backdoor-like capabilities — arbitrary JavaScript execution against a user's live, authenticated browser (via -e / MCP execute), an auto-starting localhost WebSocket relay and optional remote relay/tunneling with token auth, plus explicit access to existing logins/cookies, network interception, and session persistence — any of which can be used to steal credentials, exfiltrate data, or enable remote control of a user's browser if misused or if the package/extension is compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's core workflow and MCP/expose execute tool explicitly run Playwright commands like page.goto(...) and snapshot()/getPageMarkdown() against arbitrary web URLs (see SKILL.md "Navigate and observe", the -e/--eval examples, and "Built-in globals"), so the agent will fetch and interpret untrusted public web content which can directly influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx playwriter@latest at runtime (see MCP config) which fetches and executes remote npm package code and also requires installing the Playwriter Chrome extension from the Web Store (https://chromewebstore.google.com/detail/playwriter-mcp/jfeammnjpkecdekppnclgkkffahnhfhe and project https://github.com/remorses/playwriter), so external content is fetched at runtime and executed as a required dependency.