browser-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill's primary mechanism is
mcp__playwright__browser_run_code, which executes arbitrary JavaScript within the browser. This capability allows the agent to perform any action on a webpage, including complex interactions and data exfiltration, as demonstrated inSKILL.mdandreferences/examples.md. - CREDENTIALS_UNSAFE (MEDIUM): The
interactive-flow.mddocumentation describes a pattern where the agent collects user credentials (emails, passwords) viaAskUserQuestionand then passes them as plain text within aTaskprompt or interpolates them into JavaScript code. This places sensitive secrets directly into the agent's context and history. - EXTERNAL_DOWNLOADS (LOW): The README.md instructs users to install
@anthropic-ai/mcp-playwrightvianpx. While the source is a trusted organization, the use ofnpxto fetch and run remote packages at runtime introduces standard supply-chain risks. - PROMPT_INJECTION (LOW): This skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Any website navigated to via the Playwright tools (e.g.,
browser_navigate,browser_run_code). - Boundary markers: The prompt templates in
SKILL.mdlack delimiters or specific instructions to ignore embedded commands in the web content. - Capability inventory: The agent has full JavaScript execution (
browser_run_code), subagent creation (Task), and user interaction (AskUserQuestion) capabilities. - Sanitization: There is no evidence of sanitization or filtering of the HTML/content being processed from external sites.
Audit Metadata