playwright-trace

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly opens user-provided trace ZIPs (via "npx playwright trace open <trace.zip>") and its traceSnapshot implementation (traceSnapshot.ts) serves DOM snapshots and launches a headless browser + BrowserBackend to run arbitrary browser/CLI commands (backend.callTool) against those snapshots, and other commands (traceRequests, traceConsole, traceAttachment) read and display network requests, console messages and page content extracted from the trace — all of which can contain untrusted, public web content that the agent reads and which can materially influence subsequent tool actions.