browser-screenshot
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of a Python script (
scripts/screenshot.py) via the command line. It encourages the agent to interpolate user-provided parameters such as URLs, file paths, and CSS selectors directly into shell commands, creating a potential vector for command manipulation.\n- [DATA_EXFILTRATION]: The implementation uses Playwright to navigate to URLs without restricting schemes, potentially allowing the use of thefile://protocol to capture screenshots of sensitive local files (Exposure). Additionally, theoutput_pathcan be set to arbitrary locations, which could be exploited to overwrite files in sensitive directories.\n- [EXTERNAL_DOWNLOADS]: The skill requires the installation of theplaywrightpackage and its associated browser binaries. These are fetched from well-known and official sources.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted web content without adequate boundary markers or sanitization. \n - Ingestion points: The
urland CSS selector arguments passed toscripts/screenshot.py.\n - Boundary markers: No delimiters or safety instructions are used to separate untrusted web content from the agent's instructions.\n
- Capability inventory: The skill has the capability to write to the filesystem and access the network via Playwright.\n
- Sanitization: There is no validation or filtering performed on the user-provided URL or the output path.
Audit Metadata