playwright-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly auto-detects or accepts arbitrary URLs and then loads and interacts with those pages (see SKILL.md's "detect dev servers / ask for URL", numerous page.goto examples), run.js's support for executing inline or file-provided Playwright code, and lib/helpers.js functions like detectDevServers, extractTexts, handleCookieBanner and createContext — all of which fetch and interpret untrusted third‑party web content that can steer subsequent automated actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The run.js executor will run npm install and npx playwright install chromium at runtime, causing the skill to fetch and execute code from the npm registry (e.g. https://registry.npmjs.org/) and Playwright's browser download endpoints, which are required dependencies and thus introduce remote-execution risk.