Skills
skills/dedalus-erp-pas/foundation-skills/playwright-skill/Gen Agent Trust Hub

playwright-skill

Warn

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill generates and executes JavaScript files in the temporary directory (/tmp) to perform browser automation tasks, a form of dynamic code execution.
  • [COMMAND_EXECUTION]: Executes shell commands via child_process.spawn with shell: true to start development servers and uses host utilities like lsof and netstat for network reconnaissance.
  • [PROMPT_INJECTION]: Vulnerable to Indirect Prompt Injection (Category 8) because the skill's core purpose involves navigating to and interacting with untrusted external web content.
  • Ingestion points: Data entering the agent context via page.goto() and DOM inspection methods like textContent() or getAttribute().
  • Boundary markers: Absent. No delimiters or 'ignore' instructions are used to separate user instructions from untrusted data retrieved from target web pages.
  • Capability inventory: Subprocess spawning via spawn, file system writes to /tmp, and comprehensive browser automation (clicking, form filling, navigation).
  • Sanitization: Absent. The skill examples demonstrate direct use of web-retrieved content in automation logic without filtering or escaping.
  • [DATA_EXFILTRATION]: The automated link checker performs HEAD requests to arbitrary URLs found on web pages, which can be exploited for Server-Side Request Forgery (SSRF) to probe internal network infrastructure.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 13, 2026, 04:15 AM