playwright-cli
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing the
playwright-clibinary via Bash for all operations. Evidence found throughoutSKILL.md(e.g.,playwright-cli open,playwright-cli snapshot). - [REMOTE_CODE_EXECUTION]: The
run-codeandevalcommands allow for the execution of arbitrary JavaScript within the browser context, which could be misused to interact with page elements or exfiltrate data. Evidence found inreferences/running-code.mdandSKILL.md. - [EXTERNAL_DOWNLOADS]: The documentation explicitly suggests using
npx playwright-clias a fallback, which results in the download and execution of code from the npm registry at runtime. Evidence found inSKILL.md. - [CREDENTIALS_UNSAFE]: The skill provides commands to list, get, and set sensitive session data such as cookies and localStorage items, and can save the entire browser state to a JSON file. Evidence found in
references/storage-state.md(e.g.,cookie-list,state-save). - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from the web. Ingestion points: Browser navigation via
gotoandopencommands inSKILL.md. Boundary markers: None provided to prevent the agent from following instructions found on navigated pages. Capability inventory: Arbitrary JS execution (run-code), file system access (writing screenshots, PDFs, and session states), and network access through the browser. Sanitization: No sanitization or filtering of external web content is described.
Audit Metadata