playwright-cli
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
run-codeandevalcommands allow for the execution of arbitrary JavaScript within the browser context, which is a powerful capability that could be abused if the agent is misled into running malicious scripts.\n- [COMMAND_EXECUTION]: The skill documentation includes a PowerShell command intended to persistently modify the host'sPATHenvironment variable to facilitate tool installation, representing a persistent change to the user environment.\n- [PROMPT_INJECTION]: The skill facilitates the ingestion of data from arbitrary websites, creating a surface for indirect prompt injection.\n - Ingestion points: Page content retrieved through
open,snapshot, andevalcommands (SKILL.md).\n - Boundary markers: No delimiters or instructions are defined to separate untrusted web content from agent instructions.\n
- Capability inventory: The tool can execute arbitrary scripts, interact with page elements, and manage browser sessions.\n
- Sanitization: Content extracted from the browser is not sanitized before being processed by the agent.\n- [DATA_EXFILTRATION]: Documentation in
references/storage-state.mddetails how to export and save sensitive browser storage state, including authentication cookies and tokens, to local files, which could lead to unauthorized access if these files are exposed.\n- [EXTERNAL_DOWNLOADS]: The skill relies on the installation of theplaywright-clipackage from the npm registry.
Audit Metadata