playwright-mcp
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The tool 'browser_run_code' allows the execution of arbitrary Playwright code strings. This is a high-risk capability that could lead to host compromise depending on the MCP server's isolation.
- DATA_EXFILTRATION (HIGH): The 'browser_file_upload' tool allows the agent to upload files from arbitrary local paths (e.g., '~/.ssh/id_rsa') to a remote website controlled by the browser, posing a severe risk of credential or sensitive data theft.
- COMMAND_EXECUTION (MEDIUM): The 'browser_evaluate' tool permits the execution of arbitrary JavaScript within the browser's page context, which can be used to steal session cookies, perform CSRF-like actions, or exfiltrate DOM content.
- EXTERNAL_DOWNLOADS (MEDIUM): The 'browser_install' tool triggers the download and installation of browser binaries, which could be exploited to download malicious executables if the underlying server configuration is insecure.
- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection. Evidence: 1. Ingestion points: 'browser_snapshot' and 'browser_network_requests' in SKILL.md. 2. Boundary markers: Absent. 3. Capability inventory: 'browser_run_code', 'browser_file_upload', and 'browser_evaluate'. 4. Sanitization: Absent. A malicious website could provide instructions in the accessibility tree that the agent inadvertently follows.
Recommendations
- AI detected serious security threats
Audit Metadata