Skills
skills/akillness/skills-template/playwriter/Gen Agent Trust Hub

playwriter

Fail

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill requires installing and running the playwriter package directly from npm (npm install -g playwriter and npx playwriter@latest). This executes code from a third-party source (remorses/playwriter) that is not on the trusted vendors list.\n- [COMMAND_EXECUTION]: Through the execute tool and -e flag, the skill enables the execution of arbitrary JavaScript within the user's browser. Combined with the enabled Bash tool, this allows an agent to execute commands both in the browser and on the local operating system.\n- [DATA_EXFILTRATION]: The skill explicitly targets authenticated sessions (e.g., Gmail, GitHub, internal tools). This provides the AI agent with access to the user's cookies, private messages, and sensitive session data. If the agent is redirected or malicious code is injected, this data can be exfiltrated.\n- [EXTERNAL_DOWNLOADS]: Usage requires installing a specific Chrome extension from the Web Store (jfeammnjpkecdekppnclgkkffahnhfhe). This adds a third-party software dependency to the user's primary web browser.\n- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it reads and processes live web content (via accessibility snapshots and HTML scraping) and provides that data to the AI agent. A malicious website could contain hidden instructions that trick the agent into using the browser control tools for unauthorized actions.\n
  • Ingestion points: Browser snapshots (snapshot), markdown conversion (getPageMarkdown), and cleaned HTML (getCleanHTML) in SKILL.md.\n
  • Boundary markers: No specific delimiters or safety instructions are defined to separate untrusted web content from agent instructions.\n
  • Capability inventory: The agent can execute arbitrary JavaScript in the browser (execute tool), run shell commands (Bash tool), and read/write local files (Read/Write tools).\n
  • Sanitization: There is no evidence of sanitization or filtering of the content retrieved from the browser before it is processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 11, 2026, 09:27 AM