playwright-interactive
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: In
SKILL.md, the instructions explicitly direct the user to bypass the agent's security sandbox by starting the process with the--sandbox danger-full-accessflag. This removes execution constraints and provides the agent with full access to the local host environment. - [COMMAND_EXECUTION]: In
SKILL.md, the skill utilizes shell commands to initialize the workspace, install dependencies vianpm, and run persistent development servers for debugging purposes. - [EXTERNAL_DOWNLOADS]: In
SKILL.md, the setup process downloads and installs theplaywrightandelectronpackages from their official registries and fetches the Chromium browser binary. - [DATA_EXFILTRATION]: In
SKILL.md, the skill captures screenshots of local web and desktop application interfaces and emits them to the model usingcodex.emitImage. This facilitates the transmission of potentially sensitive visual data from the local environment to an external service. - [PROMPT_INJECTION]: In
SKILL.md, the skill is vulnerable to indirect prompt injection as it interacts with and processes untrusted content from external websites and local applications. - Ingestion points: Web content loaded via
page.goto()and application context/state accessed viaappWindow.evaluate(). - Boundary markers: None are present in the REPL instructions to distinguish between developer commands and data-originated instructions.
- Capability inventory: Full shell execution via
js_repland persistent TTY sessions, combined with the explicitly requested removal of sandbox restrictions. - Sanitization: None; the agent processes and interprets the DOM and application context directly for QA evaluation.
Recommendations
- AI detected serious security threats
Audit Metadata