playwright-cli
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The run-code and eval commands allow the execution of arbitrary JavaScript within the browser context. This dynamic code execution capability poses a risk if the agent is directed to run code from untrusted sources.
- [COMMAND_EXECUTION]: The skill executes commands through a CLI wrapper (playwright-cli) and includes file system operations such as rm -rf for cleaning up temporary files. It also suggests using npx for local installation, which downloads and executes external code.
- [DATA_EXFILTRATION]: The skill can read and export sensitive browser data including cookies, localStorage, and authentication states. These can be saved to local files using the state-save command, which could be exploited to extract credentials.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its web navigation capabilities.
- Ingestion points: External websites accessed via the goto and open commands in SKILL.md.
- Boundary markers: The skill does not implement specific boundary markers to distinguish between system instructions and content from web pages.
- Capability inventory: The toolset includes highly capable functions such as run-code, eval, and file system operations across all documentation.
- Sanitization: There is no evidence of sanitization or filtering of web content before it is processed by the agent.
Audit Metadata