playwright-cli
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
run-codeandevalcommands permit the execution of arbitrary JavaScript and Playwright code within the browser context. This allows for complex automation but provides a direct vector for executing unverified scripts if the command input is influenced by external or malicious data.\n- [DATA_EXFILTRATION]: Theuploadcommand enables the browser to transmit local files to remote servers. This presents a high risk of exfiltrating sensitive local data, such as private keys or environment configuration files, if the agent is coerced into uploading them.\n- [CREDENTIALS_UNSAFE]: The skill includesstate-saveandstate-loadfunctions to manage session state, which includes authentication cookies and local storage tokens. Storing these secrets in local JSON files (e.g.,auth.json) creates a risk of credential exposure if the files are improperly handled or accessed by unauthorized processes.\n- [COMMAND_EXECUTION]: The skill relies on executing various shell commands via theplaywright-cliutility, which provides the agent with broad control over browser sessions and local file system outputs (screenshots, PDFs, and traces).\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from the web and possesses powerful system capabilities.\n - Ingestion points: Web content is retrieved via
snapshot,run-code(usingpage.content()), andevalcommands.\n - Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions to isolate untrusted web content from the agent's core logic.\n
- Capability inventory: The skill has the ability to perform file uploads, network navigation, session state manipulation, and arbitrary code execution.\n
- Sanitization: No sanitization or validation mechanisms are described for the content extracted from external websites.\n- [EXTERNAL_DOWNLOADS]: The skill references
npx playwright-clias a fallback method, which involves downloading and executing the tool from the official NPM registry.
Audit Metadata