playwriter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows placing secrets/tokens directly in CLI flags and config JSON (e.g., --token my-secret, PLAYWRITER_TOKEN: "your-secret-token"), which would require the agent to include secret values verbatim in generated commands/configs, creating exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill explicitly exposes arbitrary JavaScript execution into a user's running Chrome session (preserving logins, cookies, extensions), auto-starts a local WebSocket relay and supports remote tunnels/MCP execution — functionality that can be used as a backdoor for credential theft, data exfiltration, and remote command execution.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's core workflow and MCP/expose execute tool explicitly run Playwright commands like page.goto(...) and snapshot()/getPageMarkdown() against arbitrary web URLs (see SKILL.md "Navigate and observe", the -e/--eval examples, and "Built-in globals"), so the agent will fetch and interpret untrusted public web content which can directly influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx playwriter@latest at runtime (see MCP config) which fetches and executes remote npm package code and also requires installing the Playwriter Chrome extension from the Web Store (https://chromewebstore.google.com/detail/playwriter-mcp/jfeammnjpkecdekppnclgkkffahnhfhe and project https://github.com/remorses/playwriter), so external content is fetched at runtime and executed as a required dependency.