playwright-cli
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
run-codeandevalcommands permit the execution of arbitrary JavaScript and Playwright code within the browser context. This provides a powerful interface for web interaction but also functions as a dynamic code execution vector. - [CREDENTIALS_UNSAFE]: The skill includes dedicated commands for accessing sensitive session information, such as
cookie-get,cookie-list, andstate-save. These can be used to extract and persist authentication tokens and session states. - [EXTERNAL_DOWNLOADS]: The documentation encourages running the tool via
npx playwright-cli, which involves downloading and executing package code from the public NPM registry at runtime. - [DATA_EXFILTRATION]: The skill provides access to sensitive data points including browser cookies, local storage, and the system clipboard (via
run-code). This information could be exfiltrated if the agent is directed to malicious sites or instructed to transmit collected data. - [PROMPT_INJECTION]: The skill presents a significant indirect prompt injection surface as it is designed to ingest and process content from arbitrary web pages. Ingestion points: Browser snapshots, page titles, and full page content extracted via CLI commands (SKILL.md, running-code.md). Boundary markers: None identified; web content is ingested directly into the agent context. Capability inventory: Includes arbitrary code execution, network request mocking, and access to authentication secrets. Sanitization: No mechanisms for sanitizing or filtering ingested web content are described.
Audit Metadata