playwright
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill defines workflows for visiting user-provided or discovered URLs (
ad-hoc-automation.md,link-checking.md) to perform automation tasks. This exposes the agent to untrusted external content that can contain hidden instructions to override the agent's goals. - Ingestion points:
page.goto(url)inad-hoc-automation.mdand link collection inlink-checking.md. - Boundary markers: None specified in the instructions to separate untrusted web content from agent instructions.
- Capability inventory: The skill allows for local file writing (
storageState.json), command execution (npx playwright test,node scripts/...), and network routing control (page.route). - Sanitization: No sanitization of page content is mentioned before the agent processes it.
- Unsafe Credential Handling (MEDIUM): The skill explicitly guides the agent to manage and reuse
storageState.jsonfiles inreferences/auth-and-storage-state.md. - Evidence: These files contain plaintext session cookies and authentication tokens. While the skill suggests gitignoring them, an agent compromised via indirect prompt injection could be instructed to exfiltrate these files to an external server.
- External Downloads & Privilege Escalation (MEDIUM): The skill instructs the agent to perform package installations and system-level setup.
- Evidence:
references/ci-and-config.mdandreferences/e2e-with-playwright-test.mdrecommendnpm installandnpx playwright install --with-deps. On Linux, the latter frequently requires or attempts to usesudoto install OS-level dependencies, which is a high-privilege operation.
Recommendations
- AI detected serious security threats
Audit Metadata