playwright-skill
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
run.jsscript implements a dynamic execution pattern where JavaScript code provided as input is wrapped in a template, written to a timestamped temporary file within the skill directory, and then executed using the Node.jsrequire()function. - [COMMAND_EXECUTION]: The skill's setup process and execution wrapper utilize
child_process.execSyncto install dependencies and manage the Playwright environment, allowing for arbitrary system command execution during the initialization phase. - [DATA_EXFILTRATION]: The
lib/helpers.jsutility includes adetectDevServersfunction that performs automated local network probing by attempting HTTP connections to a predefined list of common development ports onlocalhost. - [PROMPT_INJECTION]: The skill exhibits a high vulnerability surface for indirect prompt injection. Because it is designed to navigate to arbitrary URLs and extract page content (via
extractTexts,extractTableData, etc.), the agent could ingest and follow malicious instructions embedded in third-party websites. - Ingestion points:
page.goto,extractTexts,extractTableData, andpage.evaluatecalls inlib/helpers.js. - Boundary markers: None identified in the script logic to distinguish between trusted instructions and untrusted web content.
- Capability inventory: Subprocess execution via
execSyncinrun.js, file system writing inrun.jsandlib/helpers.js, and full network access via the Playwright browser. - Sanitization: No evidence of input sanitization or instruction filtering for content retrieved from external URLs.
Audit Metadata