playwright-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes command examples that embed secrets verbatim (e.g., fill e2 "password123", cookie-set session_id abc123) and the CLI semantics require placing credential values directly into commands, so an LLM would need to output secrets verbatim, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and reference docs explicitly show the agent opening arbitrary URLs and ingesting page content (e.g., "playwright-cli open/goto https://example.com", snapshots, and the "Scrape data from multiple pages" example in references/running-code.md and the concurrent scraping example in references/session-management.md), so it fetches and interprets untrusted public web content as part of its workflow and can use that content to drive subsequent actions.