playwright-runner

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt tells the agent to ask for user credentials and then embed them verbatim into Playwright CLI commands (e.g., fill "{password}"), which requires the LLM to output secret values directly and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to and snapshots arbitrary base URLs (see "Phase 1: Determine Base URL" and numerous playwright-cli -s={session} goto "{base_url}"/snapshot patterns in Phase 3 and the "Snapshot-First Execution Pattern") and even may download test files from profile-provided URLs ("Test Data File Resolution"), meaning it ingests untrusted third-party web content that directly drives element selection, actions, and verification logic.