playwriter
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides an
executetool and a CLI-eflag that permit the AI agent to run arbitrary JavaScript code directly within the user's browser context.- [DATA_EXFILTRATION]: The skill's primary feature is connecting to a running browser with active sessions (cookies, logins, etc.). Combined with the ability to execute arbitrary scripts, this allows for the potential theft of sensitive session data, local storage, and private information from open tabs such as email or source control.- [EXTERNAL_DOWNLOADS]: Installation involves third-party components: a Chrome extension and a global NPM package (playwriter). The MCP setup guide suggests usingnpx -y playwriter@latest, which downloads and runs the latest remote code from the NPM registry.- [PROMPT_INJECTION]: The skill ingests untrusted data from the web using tools likesnapshot(),getPageMarkdown(), andgetCleanHTML(). This creates a surface for Indirect Prompt Injection, where instructions embedded in a website's content could override the agent's behavior.- [COMMAND_EXECUTION]: The skill utilizes a custom command-line tool (playwriter) to manage browser sessions and relay commands, requiring the ability to execute shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata