playwright-cli
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The playwright-cli run-code command allows for the execution of arbitrary Playwright code. Since Playwright runs in a Node.js environment, this effectively grants the ability to execute arbitrary Node.js scripts on the host system.
- [COMMAND_EXECUTION]: The playwright-cli eval command allows for the execution of arbitrary JavaScript within the browser's context, which can be used to interact with page content or modify browser behavior.
- [DATA_EXFILTRATION]: The skill provides extensive commands for managing browser state, including state-save, cookie-list, localstorage-list, and sessionstorage-list. These commands access sensitive authentication tokens and session data that could be exfiltrated if the agent is directed to a malicious site or receives malicious instructions.
- [PROMPT_INJECTION]: The skill is a primary target for indirect prompt injection. It ingests data from external websites through snapshot, screenshot, and eval commands. Maliciously crafted web pages could contain instructions designed to hijack the agent's behavior. Ingestion points: External websites accessed via open, goto, and snapshot (SKILL.md). Boundary markers: None identified. The skill does not instruct the agent to ignore or delimit instructions found within the web pages it browses. Capability inventory: The skill has significant capabilities including arbitrary script execution (run-code, eval), file system writes (screenshot, pdf, state-save), and network interactions (open, route). Sanitization: No sanitization of the web content is performed before it is presented to the agent.
Audit Metadata