playwright-cli
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on a suite of system commands via the
playwright-clitool to manage browser instances, sessions, and interactions. - [REMOTE_CODE_EXECUTION]: The
run-codecommand allows for the execution of arbitrary JavaScript within the Node.js/Playwright environment. This is a powerful feature that could be exploited to run malicious scripts if the agent's logic is subverted by untrusted input. - [DATA_EXFILTRATION]: The skill provides commands to read and save sensitive browser data, including cookies, localStorage, and full session states (
state-save). If an agent is directed to a malicious site, these capabilities could be used to harvest and exfiltrate authentication tokens or personal data. - [PROMPT_INJECTION]: The skill has a high surface area for Indirect Prompt Injection because it navigates to and extracts data from external, untrusted websites.
- Ingestion points: Data is ingested via
snapshot,eval, and page navigation (open,goto) incore-commands.mdandadvanced-workflows.md. - Boundary markers: There is no evidence of boundary markers or instructions to ignore embedded commands in the processed web data.
- Capability inventory: The skill possesses dangerous capabilities including arbitrary code execution (
run-code), file writing (state-save), and network interception (route). - Sanitization: The skill does not implement sanitization or filtering of the content extracted from web pages before it is returned to the agent context.
Audit Metadata