playwright-skill

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill's examples and usage explicitly embed plaintext credentials (e.g., await page.fill(..., 'admin123456') and inline node run.js commands with passwords), which would require the model to output secret values verbatim if those were real secrets, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly navigates arbitrary web URLs (e.g., page.goto in SKILL.md and run.js) and mandates calling helpers.describePageForAI()/getPageStructure()/getPageText (lib/helpers.js) to read and interpret page content, so untrusted public webpages can directly influence subsequent automated actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). run.js can auto-run "npm install" and "npx playwright install chromium" at runtime, which fetches and executes code from the npm registry (e.g., https://registry.npmjs.org/playwright/-/playwright-1.57.0.tgz) and Playwright is a required dependency — therefore this is a runtime remote-code execution dependency.