playwriter
Warn
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary JavaScript code within the browser through the
-eflag and theexecutetool, allowing full control over the browser session. - [COMMAND_EXECUTION]: The skill requests high-privilege access to the system shell (
Bash), which allows for the execution of arbitrary operating system commands. - [REMOTE_CODE_EXECUTION]: The installation and usage instructions recommend using
npx playwriter@latest, which dynamically downloads and executes code from the npm registry at runtime. - [DATA_EXFILTRATION]: The skill is designed to interact with the user's existing Chrome session, granting it access to sensitive authenticated data, including session cookies, active logins, and extension data.
- [PROMPT_INJECTION]: The skill exhibits a significant surface area for indirect prompt injection attacks.
- Ingestion points: The skill ingests untrusted data from external websites using functions like
snapshot(),getPageMarkdown(), andgetCleanHTML(). - Boundary markers: No specific delimiters or instructions are provided to help the agent distinguish between its own instructions and content found on the web.
- Capability inventory: The agent has access to arbitrary code execution in the browser (
execute), filesystem operations (Read,Write), and shell command execution (Bash). - Sanitization: There is no evidence of sanitizing or validating content retrieved from the web before it is processed or used in decision-making.
Audit Metadata