playwright-cli
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
run-codecommand enables the execution of arbitrary JavaScript/Playwright code strings. This is a powerful feature that can be exploited if the agent is tricked into running malicious scripts. - Evidence: Found in
references/running-code.mdandSKILL.md. - [DATA_EXFILTRATION]: The skill provides numerous commands to extract sensitive browser information, including cookies, localStorage, and full session states (
state-save,cookie-list,localstorage-get). This data can contain authentication tokens and private user information. - Evidence: Found in
SKILL.mdandreferences/storage-state.md. - [COMMAND_EXECUTION]: The skill operates by executing commands through a
playwright-clibinary via the Bash tool. It also allows for file system operations such as saving screenshots, PDFs, and trace files. - Evidence: Found in
SKILL.mdcommand definitions. - [EXTERNAL_DOWNLOADS]: The skill includes commands to install external components, specifically
install --skillsandinstall-browser, which download software from remote sources. - Evidence: Found in
SKILL.mdunder the Install section. - [INDIRECT_PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it reads and processes untrusted content from the live web.
- Ingestion points: Web page content ingested via
snapshot,eval, andrun-codeinSKILL.md. - Boundary markers: Absent. No instructions are provided to the agent to ignore instructions embedded in the web content.
- Capability inventory: Subprocess execution via Bash, arbitrary JS execution via
run-code, file-write viascreenshot/pdf/state-save, and network mocking viaroute. - Sanitization: Absent. The skill does not appear to sanitize or validate content extracted from browsers before it is returned to the agent context.
Audit Metadata