playwright-skill
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The "eval" command in "playwright_skill.py" allows the agent to execute arbitrary JavaScript within the browser context using the "page.evaluate()" method. This is a core automation feature but poses a risk if the agent is directed to execute untrusted code on a target website.\n- [DATA_EXFILTRATION]: The skill manages persistent browser sessions in a local "sessions/" directory and provides a "cookies" command to read and set authentication cookies. Access to these cookies represents a risk of credential exposure and potential session hijacking if the agent is compromised.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from arbitrary websites.\n
- Ingestion points: Data enters the context from the web via the "open", "extract", and "html" commands in "playwright_skill.py".\n
- Boundary markers: The skill lacks boundary markers or instructions to the agent to ignore embedded commands within the scraped web content.\n
- Capability inventory: The skill possesses powerful capabilities including arbitrary script execution ("eval"), cookie manipulation ("cookies"), and local file system writes ("screenshot", "pdf", "html").\n
- Sanitization: There is no evidence of data sanitization or validation performed on content extracted from external sources before it is returned to the agent context. Mitigation: Use explicit delimiters for web content and instruct the agent to ignore instructions within those boundaries.
Audit Metadata