screen-control-operator

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] The module provides powerful, correct Playwright-based automation for DOM/a11y inspection and interaction. There is no evidence of obfuscated or overtly malicious code, but the operational design (explicit 'NEVER ask permission', ability to enumerate forms and interact automatically, and CI artifact upload of results) enables realistic abuse scenarios (sensitive data collection, internal scanning, unintended form submissions). Treat this package as high-risk from a supply-chain/operational perspective until guardrails (domain allowlist, consent prompts, redaction, CI input restrictions, and audit logging) are implemented. LLM verification: The code implements legitimate and coherent browser automation and DOM/A11y inspection functionality. There is no direct evidence of malware in the provided fragment, but there are significant operational and supply-chain risks: an explicit instruction to operate without permission, unpinned dependencies, and collection of potentially sensitive page data (A11y tree, innerText, console logs, outgoing requests). These characteristics make the skill high-risk for misuse or accidental data exposure