playwright-cli
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes a 'run-code' command that executes arbitrary asynchronous JavaScript within the Node.js/Playwright environment, which can be used to interact with the host system.
- Evidence: 'playwright-cli run-code "async page => { ... }"' described in 'references/running-code.md'.
- [DATA_EXFILTRATION]: The skill provides explicit commands for extracting and saving sensitive browser state, including session cookies and local storage values, which could be misused to steal active sessions.
- Evidence: 'cookie-list', 'cookie-get', 'localstorage-get', and 'state-save' commands in 'SKILL.md' and 'references/storage-state.md'.
- [COMMAND_EXECUTION]: The skill instructions suggest using 'npx playwright-cli', which involves downloading and executing code from the NPM registry at runtime.
- Evidence: Installation instructions in 'SKILL.md'.
- [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection because it retrieves and processes untrusted content from the open web without sanitization or boundary markers.
- Ingestion points: 'playwright-cli open', 'goto', and 'snapshot' commands in 'SKILL.md' read data from arbitrary URLs.
- Boundary markers: None identified; page content is processed directly into the agent's context.
- Capability inventory: Includes 'run-code' (arbitrary JS execution), 'cookie-get' (sensitive data access), 'state-save' (file writing), and 'eval' (browser execution).
- Sanitization: No evidence of filtering or escaping web content before it is presented to the agent.
Audit Metadata