Skills
skills/hainrixz/claude-webkit/playwright-cli/Gen Agent Trust Hub

playwright-cli

Fail

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes a custom CLI tool, playwright-cli, which is executed through Bash to perform browser automation tasks such as navigating, clicking, and form filling as described in SKILL.md.
  • [EXTERNAL_DOWNLOADS]: The documentation in SKILL.md suggests that users may run the tool using npx playwright-cli, which involves downloading and executing the package from the public NPM registry at runtime.
  • [REMOTE_CODE_EXECUTION]: The run-code and eval commands (referenced in SKILL.md and references/running-code.md) allow the execution of arbitrary JavaScript strings within the browser context. This provides a powerful mechanism for complex interactions but also enables the execution of potentially malicious code if the input is influenced by untrusted sources.
  • [DATA_EXFILTRATION]: The skill provides extensive access to sensitive browser data. It includes commands to list, get, and set cookies and local storage items (SKILL.md, references/storage-state.md). Furthermore, it encourages saving the entire authentication state, including session tokens, to local files like auth.json, which could be accessed if the local environment is compromised.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of external data and high-privilege capabilities.
  • Ingestion points: The skill ingests untrusted external content from any URL provided to the goto or open commands, and captures page state via the snapshot command (SKILL.md).
  • Boundary markers: There are no instructions or delimiters defined to prevent the agent from interpreting instructions found within web pages as its own.
  • Capability inventory: The skill possesses powerful write and execution capabilities, including arbitrary JS execution (run-code), cookie manipulation (cookie-set), and form interaction (fill), across multiple files (SKILL.md, references/running-code.md, references/storage-state.md).
  • Sanitization: The skill lacks any mechanism to sanitize or filter external web content before the agent processes it, allowing embedded malicious instructions to potentially influence the agent's behavior.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 20, 2026, 01:01 AM