playwright_browser
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable as it ingests untrusted web data (via browser_tool.py, scraper.py, and search.py) and returns it to the agent without delimiters or sanitization. This, combined with side-effect capabilities in automator.py, creates a high-risk surface where web content can influence agent behavior. Mandatory Evidence: (1) Ingestion points: page.content and text_content in scraper, browser_tool, and search scripts. (2) Boundary markers: Absent. (3) Capability inventory: Clicking, form filling, and JS execution via automator.py. (4) Sanitization: Absent.
- Dynamic Execution (HIGH): The automator.py script allows execution of arbitrary JavaScript code via the page.evaluate() method. This is a dangerous capability that could be exploited if the agent is tricked into running scripts provided by an external source via injection.
- Command Execution (MEDIUM): Multiple scripts launch Chromium browser instances using the --no-sandbox and --disable-setuid-sandbox flags, which bypasses critical security isolation features within the Chromium environment.
Recommendations
- AI detected serious security threats
Audit Metadata