playwriter

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly instructs the agent to attach to the user's active Chrome tab and run arbitrary in-page evaluations/read DOM (e.g., page.evaluate, console.log outputs, accessibilitySnapshot, locator.innerText) against whatever public/untrusted webpage is open, so the agent will ingest and act on third-party content that could influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill invokes the Playwriter CLI at runtime via "npx -y playwriter", which fetches and executes remote package code from the npm registry (e.g. https://registry.npmjs.org/playwriter) and is required for running arbitrary in-page/CLI-evaluated code, so it is a runtime external dependency that executes remote code.