Skills
skills/neonwatty/qa-skills/playwright-runner/Gen Agent Trust Hub

playwright-runner

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and interprets natural-language workflow steps from files in the /workflows/ directory to drive browser actions.
  • Ingestion points: Reads workflow markdown files (e.g., /workflows/desktop-workflows.md) via the Read and Glob tools.
  • Boundary markers: The instructions do not define clear delimiters or "ignore previous instructions" guards when processing the content of the workflow files.
  • Capability inventory: The skill uses the Bash tool to execute playwright-cli for browser navigation, DOM interaction, and arbitrary JavaScript execution via the eval command. It also uses the Write tool to create reports and AskUserQuestion to obtain user input.
  • Sanitization: The skill lacks logic to sanitize or validate the natural-language instructions before mapping them to executable CLI commands, relying on the agent's interpretation of the text.
  • [COMMAND_EXECUTION]: The skill relies extensively on the Bash tool to execute playwright-cli commands. While this is the primary purpose of the skill, the use of playwright-cli eval to run JavaScript in the browser context presents a significant capability that could be abused if the input workflow files are compromised.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 01:40 AM