browsing-with-playwright
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external websites.
- Ingestion points: Website content is ingested via
browser_navigateandbrowser_snapshot(SKILL.md). - Boundary markers: None. There are no delimiters or instructions to ignore embedded commands in the processed HTML/text.
- Capability inventory: The skill provides powerful side-effect capabilities including
browser_click,browser_fill_form,browser_evaluate,browser_run_code, andbrowser_take_screenshot(SKILL.md). - Sanitization: None. External content is passed directly to the agent's context.
- Risk: An attacker-controlled webpage could contain hidden instructions (e.g., in a hidden div) that command the agent to exfiltrate the user's cookies, session data, or page content to a remote server using the provided JS execution tools.
- Dynamic Execution (HIGH): The tools
browser_evaluateandbrowser_run_codeallow for arbitrary JavaScript execution within the browser context. - Evidence: The
browser_run_codetool specifically takes anasync (page) => { ... }string and executes it (SKILL.md). This provides a trivial primitive for an injected prompt to perform complex malicious operations like silent data exfiltration viafetch()or automated form submission on sensitive sites. - Unverifiable Dependencies (LOW): The
start-server.shscript executesnpx @playwright/mcp@latest. - Evidence:
npx @playwright/mcp@latest(scripts/start-server.sh). - Trust Status: While 'microsoft' is a trusted organization, using
@latestwithout version pinning is a supply chain risk. However, per [TRUST-SCOPE-RULE], this finding is downgraded to LOW due to the official nature of the Playwright ecosystem.
Recommendations
- AI detected serious security threats
Audit Metadata