playwright-cli
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The 'run-code' and 'eval' commands allow the agent to execute arbitrary JavaScript within the browser context. Findings: 'playwright-cli run-code' and 'playwright-cli eval' are documented in SKILL.md and references/running-code.md for advanced interaction.
- [DATA_EXFILTRATION] (HIGH): The skill exposes tools to extract and save sensitive session state, including cookies and local storage, which often contain authentication tokens. Findings: 'cookie-list', 'localstorage-get', and 'state-save' (e.g., 'state-save auth.json') in SKILL.md and references/storage-state.md.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Ingestion point: Untrusted data enters the context when the agent navigates to external websites and takes snapshots ('playwright-cli snapshot'). Capabilities: High-privilege actions including network routing, file writing, and arbitrary code execution ('run-code'). Evidence: No boundary markers or sanitization processes are defined for content ingested from the browser.
- [COMMAND_EXECUTION] (MEDIUM): The skill permits writing files to the local file system with user-controllable filenames. Findings: 'screenshot --filename', 'pdf --filename', and 'state-save [filename]' commands allow for potential arbitrary file writes.
Recommendations
- AI detected serious security threats
Audit Metadata