playwriter

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes examples that embed sensitive tokens directly in CLI commands and MCP config (e.g., --token my-secret, PLAYWRITER_TOKEN in JSON), which would require the agent to include secret values verbatim in generated commands/configs — a high exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill exposes high-risk backdoor-like capabilities — arbitrary JavaScript execution against a user's live, authenticated browser (via -e / MCP execute), an auto-starting localhost WebSocket relay and optional remote relay/tunneling with token auth, plus explicit access to existing logins/cookies, network interception, and session persistence — any of which can be used to steal credentials, exfiltrate data, or enable remote control of a user's browser if misused or if the package/extension is compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's core workflow and MCP/expose execute tool explicitly run Playwright commands like page.goto(...) and snapshot()/getPageMarkdown() against arbitrary web URLs (see SKILL.md "Navigate and observe", the -e/--eval examples, and "Built-in globals"), so the agent will fetch and interpret untrusted public web content which can directly influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx playwriter@latest at runtime (see MCP config) which fetches and executes remote npm package code and also requires installing the Playwriter Chrome extension from the Web Store (https://chromewebstore.google.com/detail/playwriter-mcp/jfeammnjpkecdekppnclgkkffahnhfhe and project https://github.com/remorses/playwriter), so external content is fetched at runtime and executed as a required dependency.