playwright-skill
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
run.jsscript allows the execution of arbitrary Javascript code provided as a command-line argument or via stdin. It writes this input to a temporary file and runs it with the Node.js interpreter, providing unrestricted access to host resources through modules likefsandchild_process. - [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution by allowing the agent to run dynamically generated scripts and automatically downloading necessary binaries via
npm installandnpx playwright installat runtime. - [EXTERNAL_DOWNLOADS]: The
installPlaywrightfunction inrun.jstriggersnpm installandnpx playwright installto fetch the Playwright library and browser binaries from official registries. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via its web scraping capabilities.
- Ingestion points: Functions in
lib/helpers.jssuch asgetPageText,getPageStructure, anddescribePageForAIretrieve data from arbitrary external URLs. - Boundary markers: None present; content is returned as raw strings or objects.
- Capability inventory: The skill has high-privilege system access via the
run.jscode execution bridge. - Sanitization: No validation or filtering is performed on data retrieved from external sources before processing.
- [COMMAND_EXECUTION]: The
launchBrowserfunction inlib/helpers.jsexplicitly disables the browser's security sandbox using the--no-sandboxand--disable-setuid-sandboxflags, increasing the risk of a host system compromise if a malicious website is visited.
Recommendations
- AI detected serious security threats
Audit Metadata