playwright-browser

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Playwright server and client explicitly navigate to arbitrary URLs supplied to scripts (e.g., scripts/navigate.rb and scripts/screenshot.rb calling Playwright via docker/playwright-api-server.js which uses page.goto), and it returns/evaluates page content through endpoints like /content and /evaluate, meaning untrusted public web pages can be ingested and influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill pulls and runs the external Docker image mcr.microsoft.com/playwright:v1.57.0-jammy (and runs "npm install" inside the container, which fetches and executes packages such as playwright/express from the npm registry at runtime), so remote code is downloaded and executed as a required runtime dependency.