playwright-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly navigates to and processes arbitrary URLs provided or discovered (see SKILL.md steps "ask for URL or offer to help start dev server" and examples using page.goto(TARGET_URL)), and the helpers (lib/helpers.js) include extractTexts, extractTableData, handleCookieBanner and link-checking that read and act on untrusted public web content, so third-party pages can materially influence automated actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The run.js executor installs dependencies at runtime with execSync('npm install') and execSync('npx playwright install chromium'), which will fetch packages from the npm registry (e.g. https://registry.npmjs.org) and Playwright browser binaries (e.g. https://playwright.azureedge.net), thereby downloading and installing remote code/artifacts that the skill requires and can result in execution of that remote code.