playwright
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates a high-risk attack surface by directing the agent to process untrusted external data with high-privilege capabilities. \n
- Ingestion points: The 'MCP Workflow' section mandates that the agent 'Navigate to target page', 'Take snapshot', and 'Interact with forms/elements' to explore the page structure. \n
- Boundary markers: Absent. The instructions do not include delimiters or warnings to treat web page content as untrusted or to ignore embedded instructions within the DOM. \n
- Capability inventory: The skill allows the agent to create and modify TypeScript files (Page Objects and Specs) and execute shell commands (npx playwright test). \n
- Sanitization: Absent. There are no requirements for the agent to sanitize or validate data extracted from web pages before using it in code generation or documentation. \n
- Risk: A malicious website could use hidden HTML elements, attributes, or comments to inject instructions that the agent might follow during its exploration phase, potentially leading to the generation of malicious test code or the execution of unauthorized shell commands. \n- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly authorizes the execution of shell commands through the Playwright CLI. \n
- Evidence: The 'Commands' section lists
npx playwright testwith various flags like--uiand--debug. \n - Risk: While standard for a testing tool, these commands serve as an execution vector if the agent's logic is subverted by an indirect prompt injection. A manipulated agent could be tricked into running modified test suites that perform malicious actions on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata