playwright-human-in-the-loop
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a robust 'Human-in-the-Loop' workflow, requiring explicit user confirmation via the
AskUserQuestiontool before any high-risk operation, such as resource deletion, IAM policy modification, or final form submission. - [SAFE]: The instructions include proactive safety constraints, such as prohibiting the automated clicking of 'Delete' or 'Terminate' buttons and instructing the agent to never input real secrets into the browser, directing the user to perform those tasks manually.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external websites using browser snapshots and page content tools.
- Ingestion points: Untrusted data enters the context through
mcp__playwright__browser_snapshotand page content reads (SKILL.md). - Boundary markers: The skill does not define specific delimiters to separate external web content from internal instructions.
- Capability inventory: The skill utilizes browser tools for navigation, form interaction, and JavaScript evaluation.
- Sanitization: No explicit sanitization or filtering of external content is described.
- Mitigation: The risk is significantly mitigated by the mandatory human confirmation step for all major operations and the requirement to create an 'Operation Plan' before execution.
Audit Metadata