playwright-cli
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill interfaces with the
playwright-clitool via Bash, granting the agent full programmatic control over a web browser session. - [DATA_EXFILTRATION]: The subcommands
state-save,cookie-get, andlocalstorage-getallow for the extraction of sensitive session data, including authentication tokens (e.g.,auth.json). This poses a risk of session hijacking if data is exfiltrated to an unauthorized location. - [REMOTE_CODE_EXECUTION]: The
evalandrun-codecommands permit the execution of arbitrary JavaScript and Playwright code within the browser context, which can be used to perform complex and potentially malicious actions. - [PROMPT_INJECTION]: The skill presents a large surface for indirect prompt injection as it navigates to external URLs and processes their content via snapshots. A malicious website could embed instructions in the DOM that the agent might interpret and execute.
- Ingestion points: External web content accessed via
gotoandsnapshotinSKILL.md. - Boundary markers: None identified.
- Capability inventory: Includes browser manipulation, file system writing (
state-save,screenshot), and arbitrary script execution (eval,run-code). - Sanitization: No explicit sanitization or filtering of webpage content is mentioned.
- [EXTERNAL_DOWNLOADS]: The documentation suggests the use of
npx playwright-cli, which involves downloading and executing code from the public npm registry. This is documented as a vendor resource related to the skill's author.
Audit Metadata