playwright-cli
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
playwright-cliutility to automate browser interactions such as clicking, typing, and navigating, which allows the agent to execute actions within a web browser context. - [EXTERNAL_DOWNLOADS]: The
install-browsercommand triggers the download of browser binaries from external servers. Additionally, the tool's reliance on the@playwright/cliNPM package (configurable via environment variables) involves the installation of external software components. - [DATA_EXFILTRATION]: The
state-saveandstate-loadfeatures manage sensitive browser session data, including cookies and authentication tokens, by storing them in local files likeauth.json. This introduces a risk of credential exposure if these files are accessed by unauthorized users or malicious scripts. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the web via
snapshotandgotocommands. A malicious website could contain hidden instructions designed to hijack the agent's behavior once the content is processed. - Ingestion points: Browser DOM snapshots and page content accessed via
playwright-cli snapshotandopen. - Boundary markers: None identified; there are no instructions provided to the agent to treat website content as untrusted or to ignore embedded instructions.
- Capability inventory: Full browser automation (click, fill, type, navigate) and the ability to save session state or take screenshots.
- Sanitization: No sanitization or filtering of web content is performed before it is presented to the agent.
Audit Metadata